While school and business interactions have flooded the internet as societies adjust to the COVID-19 pandemic, regulations protecting biometric data privacy have not been relaxed, which means some of these online interactions may be risking fines or other regulatory action, JD Supra reports.
In an article by Carlos Arévalo and Molly Arranz of SmithAmundsen LLC, accusations that Google has violated the Illinois Biometric Information Privacy Act (BIPA) and the Children’s Online Privacy Protection Act (COPPA) are held up as examples of the risk to companies as new activities are moved online. COPPA applies to all children across the U.S. under the age of 13.
Businesses using online conferencing or other communication platforms are advised to take several steps before allowing recordings or any interaction that could involve facial or voice data. Determining what biometric information is being collected, including identifiers that are collected simply through voice or video recordings, is the first step. Disclosures currently in place should be evaluated, and express written consent obtained from all customers, employees, and participants for any biometric information that is being collected and stored. A written policy which establishes data retention schedules and deletion procedures should not only be developed, but publicly available, and federal regulations, including COPPA, must not be forgotten in the attempt to deal with state laws.
The state law on biometric privacy that has generated the most litigation, BIPA, could have national implications, attorneys Kenneth D. Walsh and Mary Smigielski of Lewis Brisbois Bisgaard & Smith LLP write for Bloomberg Law.
Google has been sued in the Northern District of California for alleged violations of both BIPA and COPPA, which demonstrates the extraterritorial reach of BIPA, according to the report.
Before taking any action to leverage biometric technology to boost physical or logical access controls, such as with facial recognition-based time and attendance or mask detection systems or fingerprint readers for employees working from home, businesses should ensure they are compliant with BIPA and any other potentially relevant regulations.
“Awareness of the requirements of BIPA is critical for any company with operations in or with a connection to Illinois,” the attorneys write, particularly as remote working and learning continue.
The implications of contactless temperature scans under U.S. privacy laws is likewise considered by three attorneys from Husch Blackwell LLP for JD Supra.
With plans for returning to work including temperature screening at many businesses, as recommended by the CDC, there is a risk of unintentional privacy law violations or liability exposure. New Jersey’s Governor has also suggested temperature checks of customers entering restaurants may be required.
The attorneys consider the options of simple infrared scanners that screen temperature from a few inches away, facial recognition devices with thermal scanning, which can typically scan people further away, and wearables. State biometric privacy laws could apply to either of the latter two system types, including BIPA but statutes without private rights of action in Texas and Washington.
Information collected by the systems could also be subject to state breach notification and information security laws. Whether temperature information is defined as “medical information” under the California Consumer Privacy Act (CCPA) is unclear, but “biometric information” is clearly defined, though CCPA does not contain the same consent requirements as BIPA. Additional burdens could potentially be generated by CCPA, however, such as procedures for disclosure and deletion of people’s information on request.
The Equal Opportunity Employment Commission (EEOC) has advised businesses that employee temperature information is confidential, and the Americans with Disabilities Act requires medical information to be stored separately from the personnel files of employees.
The attorneys conclude by recommending best practices, including understanding the device used, vetting the company providing it, understanding the data security protections provided, and preparing notices for employees and customers of any system being used.