Privacy advocates cheered when Illinois passed its Biometric Information Privacy Act (BIPA) in 2008 regulating commercial use of finger, iris, and facial scans. With companies such as Facebook Inc. and Google Inc. developing facial tagging technology, it was clear that laws would be needed to ensure companies didn’t collect and use biometric data in ways that compromised an individual’s right to privacy. If you lose your credit card, it’s easily replaced. But what happens when a company loses, or tries to profit from, your fingerprint?
Although the Illinois law was seen as a possible model for other states, aggressive lobbying by companies most interested in gathering biometrics has reshaped or killed similar efforts across the country. Only two other states have enacted biometric privacy laws—Texas, in 2009, and Washington, in May. Bills introduced in eight other states didn’t pass, leaving a regulatory chasm over data privacy across the U.S. In some states, like New York, agreeing on even a basic definition of biometrics to include in the proposals was a challenge. Congress and the White House remain committed to using biometrics in the interest of intelligence gathering and national security, while retail regulation has been limited to best practices’ guidance by the Federal Trade Commission.
The Washington law might be the best example of industry pushback on attempts to regulate biometric data. The measure, which takes effect on July 23, is a watered-down version of BIPA, at best, says Alvaro Bedoya, executive director of Georgetown Law’s Centeron Privacy & Technology. It places fewer limits on the use of biometric data than BIPA while narrowing consumer consent requirements and allowing certain exemptions for images already online.