Modern technologies found in sensors, software, and readers make it increasingly possible to use fingerprints, facial recognition, retinal or iris scans, voiceprint reading, gait analysis, or keystroke analysis to identify a person.
In response to these technologies, some state legislatures (Arkansas, California, Illinois, New York, Texas, Washington) have enacted biometric information privacy laws that govern the collection and use of this data.
For example, in Illinois, the Biometric Information Privacy Act (BIPA) provides a set of rules for companies collecting biometric data—and unlike the biometric data privacy statutes in Texas and Washington, it creates a private cause of action, allowing Illinois residents whose biometric data is improperly collected or used to file a lawsuit for the violation of the statute.
There are essentially five key features of the Illinois law known as BIPA:
• it requires informed consent prior to collection;
• it prohibits any profiting from biometric data;
• it allows only a limited right to disclose the data;
• it sets forth both protection obligations and data retention guidelines for businesses; and
• it creates a private cause of action for those harmed by BIPA violations.
In Texas, the regulation of biometric information is governed by the Texas Business and Commerce Code, specifically under Section 503.001, which addresses the Capture or Use of Biometric Identifier. This law requires that businesses obtain consent before capturing a biometric identifier such as a fingerprint, retina or iris scan, or other unique biological pattern or characteristic used to identify an individual. The law also prohibits the sale of biometric data and sets guidelines for the secure storage and destruction of biometric identifiers. Unlike Illinois' BIPA, Texas does not provide a private cause of action for individuals; instead, enforcement is carried out by the state attorney general, who may file suit for violations that can result in civil penalties. The Texas law focuses on the unlawful capture or use of biometric data and does not include the same comprehensive set of rules found in BIPA, such as specific data retention guidelines or the prohibition of profiting from biometric data.