USA: Biometric privacy laws and their impact on financial services
Financial services companies often use biometric identifiers such as fingerprints, facial scans, and voiceprints to authenticate their customers, enhance security, and provide beneficial services. Whilst regulators point to biometrics as an important tool to help protect customers' accounts and sensitive financial data from unauthorised access, both federal and state laws in the US are moving towards greater protection of biometric information itself, including with laws that impose notice, consent, and retention requirements by companies that collect biometrics from consumers. Duane C. Pozza, Partner at Wiley Rein LLP, compares existing biometric laws across states, and how federal laws also aim to protect biometric data.
State privacy laws
Under current law, companies' privacy obligations as to biometric information can vary state by state, and laws are continuing to evolve in ways that companies should monitor closely. This area should be watched not only by financial institutions, but by vendors and service providers who may handle customers' biometric information.
States have enacted different laws that cover biometric information, and four states in particular have privacy laws that directly affect how biometric information is handled. Two of those, Illinois and Washington, currently exempt federally-regulated financial institutions, but still cover third-party vendors and service providers who are not regulated as financial institutions. The others, Texas and California, contain only partial exceptions for financial institutions.
The Illinois Biometric Information Privacy Act 2008 ('BIPA') contains strict requirements for providing notice and obtaining consent when collecting biometric information. BIPA defines a 'biometric identifier' as 'a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.' It also covers 'biometric information,' defined as 'any information, regardless of how it was captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.' BIPA requires both written notice and consent for collection of biometric information. Additionally, those in possession of the data cannot sell or profit from the data, and cannot disclose it in most cases without consent. They must also establish and follow a written retention schedule, as set forth in BIPA.
BIPA contains a private right of action, meaning that consumers can file lawsuits for alleged violations of the statute, and hundreds of such lawsuits have been filed to date. Additionally, under recent Illinois Supreme Court precedent, private plaintiffs do not need to show any individual harm in order to bring suit and seek monetary relief.
BIPA does state that it shall not apply to a financial institution or affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 ('GLBA') and the rules promulgated thereunder, which are discussed in more detail below. However, third-party vendors and others that are not directly subject to the GLBA are not exempt from BIPA. Notably, BIPA imposes obligations on non-exempt companies that come into possession of the information, even if they did not directly collect it. Software and data storage service providers, for example, should pay close attention to whether their activities implicate BIPA.
Washington also has a biometric-specific privacy law, Chapter 19.375 of the Revised Code of Washington ('the Washington Law'), covering 'biometric identifiers,' which means 'data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.' The Washington Law also exempts financial institutions and affiliates that that are subject to Title V of the GLBA and implementing regulations, but could still reach certain service providers.
Unlike Illinois, the Washington Law is more narrow and also does not contain a private right of action, instead leaving enforcement to the state Attorney General. The Washington Law generally imposes obligations for 'enroll[ing] a biometric identifier in a database for a commercial purpose,' and exempts uses of the data that are in furtherance of a security purpose. The obligations include notice, consent, and limitations on disclosure for a commercial purpose.
The Texas biometric-specific law, Chapter 503, Title 11 of the Business and Commercial Code ('the Texas Law'), covers 'biometric identifier[s],' meaning 'a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.' As for financial institutions, it specifically exempts voiceprint data retained by financial institutions or an affiliate of a financial institution, as defined in the §6809 of the GLBA (15 United States Code). Thus, financial institutions remain subject to the Texas Law when dealing with other kinds of covered biometric data.
The Texas Law prohibits capturing an individual's biometric identifier for a 'commercial purpose,' without informing the individual and receiving the individual's consent. It limits the disclosure of biometric identifiers captured for a commercial purpose, unless certain conditions are met. It also requires covered companies to use reasonable care in protecting from disclosure, storing, and transmitting biometric identifiers, in addition to an obligation to destroy them within a 'reasonable' time.
Thus, the Texas Law has broader applicability to financial institutions, but the full extent of what a 'commercial purpose' would be under the law, which can be enforced by the Texas Attorney General but not private plaintiffs, is untested. Unlike the Washington Law, the Texas Law does not specifically distinguish between commercial purposes and security purposes, which could be a factor in using biometric identifiers for authentication purposes.
Biometric information is regulated under California's broader privacy bill, the California Consumer Privacy Act of 2018 ('CCPA'). The CCPA defines 'biometric information' very broadly to include, among other things, 'imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint can be extracted,' as well as 'keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.'
The CCPA contains numerous requirements, and the California Attorney General is currently finalising proposed regulations to implement many of its provisions. One key aspect is requiring covered businesses to provide notice of the categories of personal information they collect and the purposes for which the information is used. Consumers can also request that personal information be deleted , although there are exceptions for detecting security incidents and protecting against fraudulent activity.
Notably, the CCPA exempts personal information 'collected, processed, sold, or disclosed' pursuant to the GLBA and implementing regulations from most of its requirements. However, because it exempts certain information, but not financial institutions themselves, financial institutions must consider what information they collect falls under GLBA obligations. If the information does not fall under GLBA, then the CCPA requirements would apply.
Altogether, these laws create a patchwork of legislation for financial institutions and their security and authentication business partners. In Illinois and Washington, financial institutions are exempt but many of their partners likely are not. In Washington and Texas, covered companies must determine whether the use of biometric information is for a commercial purpose. In California, they must follow different rules for different kinds of data depending on how federal law applies. As well as this, each state has its own definition of what kind of biometric information is covered.
This situation is likely to become even more complex. Other states have considered their own biometric-specific legislation, as well as more general privacy laws that would cover biometrics. We are likely to see further state action without a federal privacy law that would pre-empt state regulation in this area.
At the federal level, due to absent biometric-specific rules, financial institutions must consider how any biometric information they collect fits into existing frameworks of federal law.
Financial institutions in the US are well experienced with the GLBA and its implementing regulations, which govern financial institutions' privacy practices regarding certain personal information. Under the GLBA, financial institutions must provide certain notices explaining the categories of information collected, providing information about how it is shared, and disclosing consumers' opt-out rights as to sharing with certain non-affiliated third parties.
In general, the GLBA protects 'personally identifiable financial information' that is not publicly available, which includes the information a consumer provides to obtain a financial product or service, information about a consumer resulting from a transaction involving a financial product or service, and information otherwise obtained in connection with providing a financial product or service. In short, financial institutions will need to make a case-by-case determination as to whether the GLBA covers consumers' biometric information that is collected. As noted above, this determination will be relevant not only for GLBA-compliance purposes, but for CCPA-compliance purposes as well.
In addition to the GLBA, financial institutions are subject to the Federal Trade Commission ('FTC') Act of 1914, which prohibits unfair or deceptive acts or practices. This can be enforced against non-banking financial institutions by the FTC and against banks by their regulators. The FTC has brought numerous enforcement actions alleging that companies, including financial institutions, made misrepresentations about their use and disclosure of personal information, or took insufficient steps to protect personal information. The FTC is likely to continue to scrutinise companies' practices when it has jurisdiction.
At the same time, legislators in Congress are currently considering federal privacy proposals that could lead to a greater regulation of biometric collection and use. A recent Senate draft bill by Senator Roger Wicker, for example, would require consent for processing biometric information, though it has certain exceptions for security. This draft legislation does not categorically exempt financial institutions, but instead exempts data collection, processing, or transfer activities governed by the GLBA, which may require a similar analysis as under the CCPA.
One final note is that federal regulators and states can bring actions against companies that suffer a breach and are alleged not to have implemented 'reasonable' security measures. The FTC, for example, can bring such actions against non-banking financial institutions, and states have become increasingly proactive when there is a data breach. Many states also include biometric information in their data breach notification laws. While biometrics can be used for security purposes, financial institutions and their service providers need to make sure that this information is treated securely as well.
The laws in the area of biometric privacy continue to evolve, and we may see yet more enforcement, not only through private suits in Illinois but potentially through further state action. Financial services companies must be mindful of these laws and ongoing developments as they move forward with utilising consumers' biometric information.
Duane C. Pozza Partner
Wiley Rein LLP, Washington