The future of biometric data regulation must balance innovation and privacy

Biometric data can verify a person’s identity based on physical or behavioral characteristics, including fingerprints, facial scans, and voice recognition. Innovations in collecting and analyzing biometric data have allowed companies such as social media platforms to offer users new features and better verify people’s identities. Biometrics can also be used in the medical and financial industries to enhance consumer authentication and reduce fraud, making medical records and financial transactions more secure. 

However, concerns of potential misuse by companies and/or the government have led to calls to limit biometric data collection. Companies wishing to collect biometrics should be transparent in their collection and intent to use such data, and governments should set clear regulatory guidelines for companies to do so while still allowing room for innovation. 

An individual’s biometric data is unique to them. As such, industries that demand the strictest security measures can use biometric data to authorize that only specific people can access sensitive material. This can be applied as a primary authentication method or included in multi-factor authentication, along with passwords. A person’s fingerprints and facial geometry are significantly harder to forge, making them a much safer authentication option than solely a password. 

This technology can be used in the medical sector to better secure access to sensitive records. By requiring fingerprint scans before medical providers access medical records and facial scans to verify patients’ identities, the medical sector would have more security and reduced fraud. This technology does not have to just be used in a hospital or doctor’s office; in the telehealth sector, patients can use their facial scan to log securely into their online profile. The same principles can apply to the financial sector by allowing facial scans to confirm in-person and online banking identity. By using biometric authentication, industries where people demand the utmost security can be made more secure.

However, even accepting the usefulness of biometric data collection doesn’t eliminate concerns about how biometric data is secured, the use of biometric data for commercial purposes, and the potential to use biometrics for surveillance. Biometric data is unique to the individual, but unlike passwords or Social Security numbers, it cannot be replaced if the data falls into the wrong hands. This makes it extremely important that companies intending to collect biometric data have a secure infrastructure to keep such data safe. Because of the risks, there have been calls to require companies to obtain consent from users to use their data, restrict the sale of biometric data, and require deleting biometric data after its intended use.

Currently, Illinois, Texas, and Washington are the only states that regulate the collection and use of biometric data. All three laws require companies to obtain consent in some form from consumers before collecting their biometrics, prohibit selling their biometric data, and require companies to delete their biometric data shortly after its intended use. These regulations have led to costly legal action against companies collecting biometric data without consent. 

In July 2024, Meta, who owns Facebook, agreed to pay $1.4 billion to Texas over Facebook collecting users’ facial data for commercial purposes without consent. This settlement, the largest ever collected by an attorney general over privacy, follows Meta’s 2020 settlement with a class-action suit in Illinois for $650 million over the same issue. Meta did not admit wrongdoing in either settlement. 

From 2011 to 2019, Facebook used a feature called “Tag Suggestions” to scan photos uploaded to its site. It collected millions of users’ facial recognition data and used it to make it easier for users to find new people to add as “friends.” Users were automatically signed up for this facial recognition and collection feature unless they manually opted out in the settings tab. In 2019, after the Illinois class action suit first appeared, Facebook switched this feature, now called Face Recognition, to an opt-in service. In 2021, Facebook shut down the Face Recognition system and subsequently deleted over one billion people’s facial data. In announcing this action, Meta cited the lack of a clear regulatory framework for properly acquiring and using biometric data. 

Given the massive financial stakes involved in these cases, Meta was correct in stating that there needs to be clear regulatory guidelines for companies to follow regarding biometrics use. Only three states have laws about biometric data right now, but more states will likely adopt their own in the near future. 

To ensure that people’s biometric data is safe without risking the development of future innovations in biometric security, regulators should create flexible frameworks that allow for responsible innovation. For example, states can allow users to consent electronically, either with an electronic signature or by clicking an “I Agree” box. In 2024, Illinois amended its biometrics law to allow for electronic signatures to count towards obtaining consent, thus clearly defining how companies can obtain “informed consent” from users in a convenient and timely manner. Texas already allows for electronic consent, but Washington still requires documented consent. In addition, regulators can provide explicit guidelines on what information companies must disclose to consumers and how long they can retain biometric data. By doing this, companies can have more certainty that they comply with state laws, and consumers can feel more confident that their data is safe.

Regulators should not, however, restrict the use of biometric data too broadly or create specific requirements of how companies must store people’s data. All three states with biometric data privacy laws require that companies store biometric data safely and securely, but none of them demand a specific way to do so. Other states should adopt similar standards for their own laws. 

Disclosing the intended use of biometrics and obtaining consent is already a transparent process that allows companies to innovate and consumers to know what their data is being used for. States should resist overly restricting how companies use biometric data so long as consent has been obtained. By overregulating to keep people’s data safe, states ironically risk stifling the development of biometric security innovations that can make people’s data safer than ever. 

Biometrics are part of the broader debate over data privacy, but its unique specificity makes it arguably the most important aspect of it. If collected and used properly, biometric data can make the medical and financial sectors more secure. Businesses should take it upon themselves to be transparent about how they intend to use and secure consumers’ biometric data. Governments should provide a clear, consistent framework that businesses can comply with and be allowed to innovate within.   

The post The future of biometric data regulation must balance innovation and privacy appeared first on Reason Foundation.