U.S. state proposes concise list of do’s and don’ts for biometrics use
Lawmakers in the commonwealth of Kentucky are considering a surprisingly clear and concise set of rules for businesses working with biometric data. It would not pertain to state government agencies.
House Bill 32 has just four key components.
First, private organizations doing business in the commonwealth and holding broadly defined biometric identifiers and information would have to write and make available policies for how long the data will be retained and how it will be destroyed.
Destruction would have to happen as soon as its initial mission is completed or within three years of the last interaction of the identifier’s owner with the business.
Second, the entity would have to get consent to gather, buy or trade to get someone’s biometric identifiers, including voice, face, finger and palm prints.
Third, organizations would not be able to profit from identifiers.
Last, businesses would need written consent or to be compelled by laws or warrants to disclose or distribute a person’s biometric identifiers and information.
Exceptions to identifiers include a person’s physical characteristics like height and hair color as well as graphical medical test results.
And those wronged by a business would have a right to recourse, winning liquidated and actual damages.
Concern about how identifiers — particularly face biometrics — are being regulated is nearly global.
A think tank in India this month published its worries about civil society’s disinterest in how their most critical identifiers are being used.
In the United States, the aging Biometric Information Privacy Act in Illinois, is the most visible and contentious bulwark against undue profiting and misuse of residents’ biometric data. It covers all the ground set out in Kentucky’s bill, centering on consent.
The California Consumer Privacy Act is the only other major piece of legislation in the United States.
Perhaps the law having the biggest impact on biometric privacy, however, is the European Union’s General Data Protection Regulation. It still leaves enough unregulated actions on the table to cause consternation.
Privacy advocates have used these pieces of legislation to prevent misuse of data, but few focused on the matter express complete satisfaction.