July 31, 2018
The Myth of Fingerprints: The Privacy Pitfalls of Biometric Data
Rebecca E. Kuehn
Looking for a way to reduce losses, you may have heard that some dealerships are collecting fingerprints, both electronically and with ink and paper, from consumers who want to take a test drive. At first blush, it seems like a good idea to protect against theft of demonstrator vehicles (and to assist law enforcement in the event of a loss). But before adopting this as your dealership's next loss prevention strategy, take some time to consider the privacy implications and your state's laws.
On the federal front, there is no specific law addressing the privacy of biometric information collected by private companies. Historically, the Federal Trade Commission, which focuses on privacy and data security, has advocated for companies to provide notice prior to the collection and analysis of biometric information and to obtain consent for some uses of biometric data. These recommendations focus on the sensitivity of the data and the fairness to the consumer.
The more interesting developments have been at the state level. Currently, three states have laws that specifically address biometric privacy - Illinois, Texas, and Washington. The oldest, broadest, and strictest of these laws is the Illinois Biometric Information Privacy Act. Generally, the BIPA requires that private entities obtain a person's consent before scanning their "biometric identifiers" or collecting "biometric information."
The BIPA defines a "biometric identifier" as a scan of an individual's fingerprint, retina, or iris or a scan of an individual's hand or face geometry. The BIPA also applies to "biometric information," defined as "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual." This means even devices that do not store an image of the biometric identifier, but instead create a template or unique identifier based on the image, fall within the scope of the BIPA.
The BIPA also prohibits the sale of biometric data and prohibits sharing the information except under certain defined circumstances. But what makes the BIPA even more concerning is the fact that it allows consumers to bring a private action. To date, there have been more than 30 class action lawsuits brought against various entities for violations of the BIPA.
Thankfully, the Texas and Washington laws are less broad in applicability and do not provide a private cause of action, but they similarly require notice and consent to consumers and, like the Illinois law, are enforceable by the state attorney general.
All three of these states exempt "financial institutions" under the Gramm-Leach-Bliley Act, but remember that your dealership - even though it may be considered a "financial institution" for purposes of financing - may not be considered a financial institution with respect to test drives because test drives are separate from the dealership's financing functions. So, if you are operating in Illinois, Texas, or Washington, you need to consider the impact of these laws before implementing fingerprints as your risk reduction strategy. And if you are not operating in one of these states, you should still consider the consumer's privacy in the development of your program. After all, FTC enforcement and more state legislation may be just a matter of time.
*Rebecca E. Kuehn is a partner in the Washington, D.C., office of Hudson Cook, LLP. Becki can be reached at 202.715.2008 or by email at firstname.lastname@example.org.