By Kyle Steenland, Associate Editor
If you search the term “biometrics technology” nearly 3 million results in a fraction of a second are at your fingertips. But what exactly does “biometrics technology” entail? Going by the definition, biometrics is the “the process by which a person’s unique physical and other traits are detected and recorded by an electronic device or system as a means of confirming identity.” Homeland Security defines biometrics as the “unique physical characteristics that can be used for automated recognition.” Software using biometrics includes things like your face, iris structure, retina, your voice, or your fingerprint. Coupled with a layman’s understanding of technology in contemporary America, it is safe to assume that biometric technology is going to involve integrating some of our most fundamental and human features with software that will fuel the future.
In the past decade, this technology has become widely accessible through smartphones. By registering your fingerprint into the phone’s security settings, many of cutting-edge smartphones allow you to access the device with that fingerprint alone — essentially creating a digital signature unique to you alone. This feature, called “biometric authentication,” works by comparing unique features of the image (in this case, the unique patterns or ridges of your fingerprint) against the stored features of the image (here, the fingerprint used when you set up the fingerprint identification) of the “template.”
But biometric technology was not always this seamlessly integrated into society. In fact, up until now, biometric technology has predominately been used to document criminals. The latter dates back to as early as 200 B.C. to the Qin and Han Dynasties. Clay seal artifacts bearing ridge impressions have been found that are believed to have been used in the investigation of criminal activity. This practice eventually made its way to the United States in 1902 when the New York Prison System began fingerprinting prisoners as part of the recordkeeping process. Contemporary policing has taken everything to the next stage, and now collects DNA samples upon arrest for certain crimes.
With the history and principles of biometric technology predominately being used with the effectuation of criminal punishment, a topic that balances governmental power and citizens’ rights, it is understandable how states like Illinois, Texas, Washington, and New York are implementing laws regarding the use of biometric data to safeguard consumers.
Illinois began the trend when it passed the Biometric Information Privacy Act in 2008. This law regulates the use of biometric information and regulates the ways the information can be captured, stored, or shared. Violators accrue violations anywhere from $1,000 per violation up to $5,000 per plus the cost of actual damages. Compliance with this act requires entities to develop written policies regarding data retention and destruction protocols for unnecessary collected data, and requires all collected data to be destroyed within three years of an individual’s last interaction with the entity. Further, the act requires that entities provide written notice about the collection, storage, and use of the data and requires consent from anyone whose retained data falls within one of those categories.
Data being used for commercial purposes requires the disclosure of any sale, lease, trade, or profit from the biometric identifiers — as well as protection measures for confidential or sensitive information, such as genetic testing information, driver’s license numbers, or social security numbers.
The remaining listed states also now possess similar provisions for their laws, but also contain provisions regarding an employer’s ability to use biometric data in monitoring employees. Employer-collected data originally came about for timekeeping. To ensure hours were more accurately kept, to avoid wage theft, and to provide employees with a more seamless way to log their working hours, employers began using timeclocks utilizing biometric data. However, complications arose due to employers being unaware of the legal implications of biometric data, as well as the consequences of security breaches.
Google ran into complications with a recent feature of its Arts and Culture app. This feature allowed users to upload a facial photograph and have it matched against famous works of arts. However, the feature failed to pass the muster of Illinois’s biometric law, and it was promptly made unavailable to Illinois residents. The app failed to adequately obtain consent prior to use, and it failed to adequately inform consumers how their biometric features would be saved. Although workarounds exist, such as asking an out-of-state friend to run your image through it unrestricted, the principle remains that the feature is out of compliance with local law. But more importantly, it runs afoul of the principle behind the legislation: to provide consumers with the opportunity to avoid unduly sacrificing their privacy rights.
One of the motivating reasons for enactment of biometric retention and use laws was the significance that biometric data holds. It is one of the few features of our lives that remains out of an individual’s control to change. The scan of one’s iris or ridges on a fingerprint are immutable characteristics of one’s identity profile. These characteristics define individuals, and it should be an individual’s choice as to whether they want corporations to document their immutable traits. This goes to the protections enshrouded in the Fourth Amendment, and companies unduly possessing these characteristics erode Americans’ privacy. The United States is a country founded on the notion that its civilians are imbued with certain fundamental rights. Ironically enough, second to this notion is apparently the right of the civilian to sacrifice those endowed rights if they so choose. These biometric laws, although hampering, help to ensure that civilians are aware of the sacrifices they may be undertaking. Although regulations may be inconvenient, biometric data is surely worth protecting.
 Maryland v. King, 569 U.S. 435 (2013) (holding that DNA collected under the Maryland DNA Collections Act was constitutional as it represented a minimally invasive procedure and the test serves a legitimate state interest).
 Annemaria Duran, Understanding the Texas Biometric Privacy Law as an Employer, SwipeClock (Dec. 29, 2017), https://www3.swipeclock.com/blog/understanding-texas-biometric-privacy-law-employer/.
 A New Threat from An Old Source: Class Action Liability Under Illinois’ Biometric Information Privacy Act, Baker McKenzie (Oct. 16, 2017), https://www.bakermckenzie.com/en/insight/publications/2017/10/illinois-biometric-information-privacy-act.
 Duran, Understanding, supra note 8.
 Annemaria Duran, Learn How Washington’s New Biometric Privacy Law Affects Businesses, SwipeClock (Jan. 3, 2018), https://www3.swipeclock.com/blog/learn-washingtons-new-biometric-privacy-law-affects-businesses.
 Ally Marotti, Google’s art selfies aren’t available in Illinois. Here’s why., Chicago Tribune (Jan. 17, 2018, 7:00 AM), http://www.chicagotribune.com/business/ct-biz-google-art-selfies-20180116-story.html.