Senate bill would place limits on use of facial recognition, other biometrics by private companies
Less than two months after legislation was introduced that would prohibit federal agencies from using facial recognition technology, as well as strip support from state and local law enforcement agencies that also leverage it, Sens. Jeff Merkley (D-Ore.) and Bernie Sanders (I-VT) introduced a bill on Tuesday that would ban private companies from collecting the biometric data of consumers and employees without their consent.
The bill, dubbed the “National Biometric Information Privacy Act of 2020,” covers a wide range of biometrics including eye scans, voiceprints, faceprints, fingerprints, palmprints, and even gait.
Under the legislation, companies would have to obtain a written release to collect, buy, sell, lease, trade, or retain an individual’s biometric data. The bill also requires companies to disclose to any inquiring individual the information the company has collected on them.
No later than 60 days after the bill’s enactment, companies with biometric data in their possession would be required to publish a written policy that establishes a retention schedule as well as guidelines for permanently destroying such identifiers and information.
“We can’t let companies scoop up or profit from people’s faces and fingerprints without their consent,” said Merkley in a statement announcing the bill’s introduction. “We have to fight against a ‘big brother’ surveillance state that eradicates our privacy and our control of our own information, be it a threat from the government or from private companies.”
“Do we really want to live under constant surveillance by unaccountable corporations? I don’t. We cannot allow Orwellian facial recognition technology to continue to violate the privacy and civil liberties of the American people,” added Sanders.
According to Jake Parker, Director of Government Relations for the Security Industry Association (SIA), the bill would essentially nationalize how everyone approaches the security of biometric data, similar to the Illinois Biometric Information Privacy Act (BIPA) passed in 2008, which he says has been a “disaster” and the security industry would undoubtedly be negatively impacted by its implementation should it be enacted in its current form.
“It’s poorly written, it doesn’t reflect a true understanding of how this biometric data is used and it would also be a bonanza for the class action bar, which we’ve already seen with Illinois BIPA and the lawsuits associated with that. There’s a wide range of them but many would be considered frivolous,” Parker says.
Parker adds that if there is indeed going to be a national law created to protect biometric data, SIA would like it to be part of larger data privacy framework which has already been discussed in both the House and Senate.
“It’s clear that there will need to be some type of framework like that soon given what Europe has done with GDPR, and also with a number of states beginning to pass their own rules which are going to conflict with each other and potentially create a patchwork (of regulations),” he adds. “It would be a nightmare for compliance.”
For its part, Parker says that SIA next week will release its own set of principles for responsible use of facial recognition technology, adding that they have already been in contact with several policymakers about the concepts to help ensure that these and other biometric systems can be used ethically and practically without resorting to extreme measures like banning their use altogether.
“We think more can be done to build public trust that government agencies using the technology, like law enforcement, are doing so responsibly and we can ensure accountability in the system to provide that reassurance,” he says.
In looking at the sheer number of requirements in the Merkley and Sanders bill, Parkers says there are many things that would trip up implementations of these technologies. Conversely, Parker explains there have been some more reasonable approaches proposed, such as S. 847 that was introduced last year by Sens. Roy Blunt (R-Mo.) and Brian Schatz (D-Hawaii) which deals specifically with facial recognition data and carves out provisions for specific applications of the technology, which is lacking in Merkley and Sanders proposal.
“We want to make sure biometric data is protected, but… if all these rules applied, it would basically take away the security benefit of the application,” he says.
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].