4 US governments get biometric privacy rules on the table, off the ground
U.S. state and local governments are pinching off the abilities of businesses to freely use facial recognition algorithms on their customers. It is just a few government bodies so far, but they are not working from a template.
Four recent developments – in New York, California, Iowa and Colorado — stand out.
Bloomberg Law reportedly received copies of two New York City bills regulating large classes of businesses using biometric matching or surveillance to ID customers. The city has debated the topic for several years.
One bill would make it illegal for business owners to identify people using biometric systems in places of accommodation without getting written consent and telling people how the data will be managed and shared.
The other would ban identifying people without their consent in multiple-dwelling residential buildings. Only eight bits of data could be collected, including biometric identifiers if a digital access system, installed in common areas, uses the identifiers.
It is difficult not to read the first proposal as a way to stop the powerful owner of Madison Square Garden Entertainment from using facial recognition code to prevent anyone he considers personal or professional antagonists from entering Madison Square Garden and other managed venues.
Both ideas likely will be introduced at a city council meeting April 27.
In a housekeeping move, meanwhile, California state regulators have updated rules to harmonize two landmark biometrics regimes – the Consumer Privacy Act, often referred to as the CPPA, and the Privacy Rights Act, or CPRA.
State leaders consider this a high-water mark for broadly protecting individuals’ privacy rights, especially those that minimize data collection and the use of dark patters. The new rules are now in effect.
The agriculture-dominated and staunchly conservative state of Iowa also has enacted what lawmakers bill as a comprehensive privacy law. It does not give state residents the right to force corrections in errors in their collected biometric data. Nor does it give them the right to take companies to court.
Iowa’s law, signed this month, has a fairly detailed description of how it can be applied.
According to the National Law Review, the law applies to companies doing business in the state and either control the data of at least 100,000 residents or claim more than half of their gross revenue from selling or processing the data of at least 25,000 residents.
Iowa also limits actionable data transactions to those involving monetary consideration. And there is no right of action for residents. Complaints go to the attorney general’s office which decides if a case is brought. Companies can be fined but residents are not compensated for mistakes or misuse.
The state of Colorado has gotten deeper into private-sector biometrics regulation as well. Lawmakers have created rules that finalized the Colorado Privacy Act. Lawmakers had three years, beginning in 2021, to agree to the rules for implementation. The act goes into effect July 1.
According to an analysis of the result by law firm WilmerHale, some businesses have looked to the California Privacy Rights Act as a benchmark, but there are significant differences between the two regulatory regimes.
Third-party processing is covered in the CPRA, but not in the Colorado law. The differences are important because Colorado businesses sell into California, which has a much bigger economy.
Article Topics
biometric identifiers | biometrics | California | Colorado | data privacy | facial recognition | New York City | regulation
Comments