The Eyes Have It: How Data Privacy Laws Interact with Biometric Data

By Samantha Palladino

To read this article, I am willing bet at least half of you unlocked your smart device using fingerprint or facial recognition. Welcome to the world of biometric data!

In an attempt to reduce the amount of fraud experienced by consumers across the globe, many companies have turned to some form of biometric identification, such as face, hand, voice, or even iris recognition.[1] This trend toward implementing biometric identifiers is on the incline—Global Market Insights estimates that the biometrics market will surpass $50 billion by the year 2024.[2]

Biometric data is considered the physical characteristics or behavioral characteristics of a human being that can be used for recognition purposes. It is therefore highly personal information.[3]

When companies begin to collect such information from their customers, they must take into consideration the data privacy laws that are triggered around the world. Two of the most prominent regulatory landscapes that companies will encounter are that of the European Union (EU) and individual states within the United States.[4] The EU implemented the General Data Protection Regulation (GDPR) on May 25, 2018.[5] GDPR provides protection to EU citizens regarding the use of their personally identifiable information (PII), which includes biometric data.[6]

Now, if you are thinking that GDPR does not apply to you because you are not located in the EU, think again! GDPR applies to any company, regardless of where you are located, if it targets or collects data from EU citizens.[7] Therefore, if you wish to collect biometric data from EU citizens, you must comply with GDPR or fall into one of their categorical exceptions to the GDPR’s general denial of collection of PII, mainly consent. In addition to obtaining consent, the GDPR requires companies to allow EU citizens the right to erasure of their PII from the company’s records.[8]

The United States’ regulatory framework is more complex due to the fact that there is no overarching, all-encompassing federal level data privacy law. Instead, each individual state has the right to enforce their own data privacy regulations.[9] For example, there is the California Consumer Privacy Act (CCPA), which regulates the use of PII of the citizens of California. CCPA allows Californians the right to know what PII is being collected, the right to delete this PII, and the right to opt-out of the sale of such PII.[10] PII, includes biometric data.[11]

California is just one of the numerous states within the US that have already enacted such forms of data privacy law. Elsewhere, Illinois enacted the Biometric Information Privacy Act (BIPA), the first state law to specifically regulate biometric data and provide a private cause of action for consumers,[12] and New York reintroduced the New York Privacy Act (NYPA)—a comprehensive consumer privacy act similar to CCPA—in May of 2021.[13] As the use of biometric data continues to grow, it is likely that other states will implement similar data privacy regulations in the near future.[14] Biometric data is inherently useful, and the number of ways companies can implement it into their everyday business functions, and their respective intellectual properties, will inevitably rise, especially following the shift to a virtual lifestyle due to the COVID-19 pandemic. However, if companies wish to avoid lofty money damages—damages as high as €20 million in the case of the GDPR alone[15]—it is important that the data privacy regulatory landscape is closely watched and strictly adhered to. For more information regarding biometric data and its ethical use, visit the Biometrics Institute’s organization webpage


[1] See Brett Beranek, AI and Biometrics in 2021: Predictions, trends, and insights for what may lie ahead, Security Magazine (Feb. 9, 2021), https://www.securitymagazine.com/articles/94548-ai-and-biometrics-in-2021-predictions-trends-and-insights-for-what-might-lie-ahead.

[2] Preeti Wadhwani & Saloni Gankar, Biometrics market will exceed USD 50 billion by 2024, Global Market Insights (Aug. 10, 2017), https://www.gminsights.com/pressrelease/biometrics-market.

[3] Ryan N. Phelan, Data Privacy Law and Intellectual Property Considerations for Biometric-Based AI Innovations, Security Magazine (Jun. 12, 2020), https://www.securitymagazine.com/articles/92559-data-privacy-law-and-intellectual-property-considerations-for-biometric-baseed-ai-innovations.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] See GDPR Art. 6 §1(a) & Art. 17 §1.

[9] Angelique Carson, Data privacy laws: What you need to know in 2021, OSANO (last updated Jul. 20, 2021), https://www.osano.com/articles/data-privacy-laws.

[10] California Consumer Privacy Act (2018), State of California Dept. of Justice (last visited Jul. 27, 2021), https://oag.ca.gov/privacy/ccpa.

[11] Id.

[12] Woodrow Hartzog, BIPA: The Most Important Biometric Privacy Law in the US, Regulating Biometrics: Global Approaches and Urgent Questions 96, 96-7, https://ainowinstitute.org/regulatingbiometrics-hartzog.pdf.

[13] Maya Atrakchi, Jason Gavejian, Joseph Lazzarotti, & Damon Silver, Is New York Next? A Comprehensive Consumer Privacy Bill Reintroduced, JDSupra (May 26, 2021), https://www.jdsupra.com/legalnews/is-new-york-next-a-comprehensive-5376834/.

[14] Ryan N. Phelan, Data Privacy Law and Intellectual Property Considerations for Biometric-Based AI Innovations, Security Magazine (Jun. 12, 2020), https://www.securitymagazine.com/articles/92559-data-privacy-law-and-intellectual-property-considerations-for-biometric-baseed-ai-innovations.

[15] Elizabeth C., Costs of Non-Compliance with Privacy Laws, Privacy Policies (May 21, 2021), https://www.privacypolicies.com/blog/costs-non-compliance-privacy-laws/#Gdpr.

Share us!