Lovelace Institute calls for stiff regulation covering biometric data in US

UK-based tech research and advocacy organization The Ada Lovelace Institute has posted a critique of biometrics oversight in America, written by a privacy advocate, and finds the biggest regulatory successes are in the past.

According to the article, only some U.S. lawmakers in some states have worked to regulate the use of biometric tools. There is no nationwide heat pushing privacy laws forward.

The post, on the Lovelace site, was written by Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation. It pays homage to the 2008 Biometric Information Privacy Act in the state of Illinois.

“More than a decade later, BIPA remains the gold standard for consumer biometric legislation in the United States. The act requires companies to obtain consent before collecting biometric data – a rare thing in the USA.”

It also forbids companies from selling information collected without permission. Organizations must disclose why data is collecting and communicate the rules for deleting it, too.

“Illinois’ BIPA set off a small trend in legislation after it first passed,” according to the blog post. A year later, Texas followed with a similar law, but it did not give individuals the right to sue for violations. Washington State passed its own version in 2017.

A subsequent wave of regulatory action, according to Tsukayama, came as part of a renewed push for criminal justice reform in the United States.

Law enforcement’s use of facial recognition “has led many communities to forbid this type of biometric application,” she wrote.

“Bans have recently been passed at the city level in San Francisco and Oakland (California) in 2019; in Portland (Oregon) in 2020; and in Minneapolis (Minnesota) in 2021.”

Tsukayama also mentions the 2021 Massachusetts law that introduced significant regulation of facial recognition and New York City’s limitation on how biometric identifiers can be collected by private organizations.

“These more moderate approaches demonstrate that even those who may see some benefits in using technologies such as facial recognition know that they cannot operate unchecked,” the Ada Lovelace Institute post reads.

The second part of the report focuses on biometrics regulation that ensures people can control their data, that freedom of expression is not deterred and that biased decisions are minimized.

This section also refers back to various regulatory agencies and courts that have been more active in developing state-level data protection regimes for biometric data collection.

Tsukayama concludes her report by recognizing the successful efforts of legislators, but calling for more oversight.

“The gains around protecting biometric information have not been easy and we cannot assume they will be permanent.”

She said the “story of biometric data regulation is still being written,” through ongoing discussions on regulatory and legislative interventions and seizing on important opportunities to raise awareness of the stakes.

“Companies and governments often try to cast ‘data’ as impersonal, but it is, in fact, deeply personal. It’s drawn from our actions, reflective of our beliefs, and tied to the core of who we are,” Tsukayama concludes.

“This personal connection is doubly true when it comes to biometric information – literally information derived from our bodies. Supposedly free societies should respect and protect it.”

The report comes days after the Ada Lovelace Institute published its widely-anticipated ‘Ryder Review,’ a report outlining the organization’s three years of research into the challenges and potential harms of biometrics used in England and Wales.

Article Topics

Ada Lovelace Institute  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  data protection  |  EFF  |  facial recognition  |  legislation  |  privacy  |  regulation