Businesses feel biometric data bonanza slipping through their fingers

U.S. businesses, their associations and their attorneys are coming out in the open to challenge biometric privacy laws and regulations. Or, more directly, to challenge provisions that by anyone’s estimation are siding decidedly with consumers who want to control their data.

If there was a period when business owners were worried about offending customers by appearing avaricious about collecting, using and sharing consumer biometric data, that time is past.

Access to biometric data is being described as an existential matter in market economies on both sides of the North Atlantic.

Critics of the European Union’s General Data Protection Regulation’s privacy framework say it is dooming companies there to a distant third place finish in data-based competition, behind the disorganized United States and the autocratically focused China.

Some libertarian voices published in RealClear Policy go too far, saying, without proof, that innovation in Europe has already been harmed.

(Privacy advocates have said Europeans have marginally more control over their biometric data because of GDPR.)

Meanwhile, critics of the U.S. Congress, AWOL on any kind of privacy framework (and for a long time), say three dozen states with their own privacy laws cannot be right.

The Troutman Pepper law firm has published a straightforward accounting of state actions, and even that is sobering.

According to the firm, California, Kentucky, Maine, Maryland, Massachusetts, Missouri and New York introduced biometric privacy laws since January 1.

For the uninitiated, Kentucky, Maine and Missouri are conservative to very conservative, politically. Legislation that does not give businesses a freer hand in things typically has a lifespan measured in seconds.

The long-ago fright about having to collect online retail taxes from all the relevant taxing bodies in the nation is a kindergarten math problem compared to the coming privacy-compliance nightmare.

Patchwork regulation is still decried, but the time to make that case is over, and the savvy know it.

They instead want a business-friendly federal privacy framework that specifically preempts states’ laws, a position pushed in the RealClear Policy article. Any fig leaf bill probably would do.

And the sooner the better.

The Federal Trade Commission last month settled with WW International and Kurbo, its subsidiary, in a complaint that WW (formerly Weight Watchers) violated the Children’s Online Privacy Protection Act.

The app Kurbo by WW collected biometric information from children without getting parents’ permission.

WW was hit was a $1.5 million civil penalty, but, more important, it was told to destroy “models or algorithms developed in whole or in part” using children’s personal information — including persistent identifiers — collected by the app. Going beyond injunctive relief and monetary penalties is an unusually harsh step, known as disgorgement, according to an article posted by Wiley Rein.

The Kurbo by WW case got a lot of attention in legal circles.

It was discussed in a webinar earlier this month hosted by the law firm Squire Patton Boggs. The subject matter was trends in biometric privacy and AI in 2022. It was noted with some foreboding that it was the first time disgorgement was released in a COPPA case.

Article Topics

biometric data  |  biometric identifiers  |  biometrics  |  BIPA  |  data protection  |  Europe  |  GDPR  |  legislation  |  privacy  |  regulation  |  United States