Navigating compliance requirements for biometric data collection: A guide for businesses
By Eva Kozar, Senior Account Executive, SEON
Businesses that collect biometric data must adhere to various compliance requirements, with laws such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and industry-specific regulations all impacting how firms can store and process such data. Let’s look at what’s involved.
The growing global case for biometric security
From the biometric Schengen Information System to the onboarding of a million customers with biometric tech by Eurasian Bank in 2022, businesses of all shapes and sizes are relying on biometric security and authentication. This means that they need to keep up to speed with compliance requirements.
The requirement to implement processes to comply with legislation on data handling is nothing new. Data protection laws and KYC compliance mandates have kept firms busy ensuring that they meet the latest standards. Yet regulatory obligations have often lagged behind when it comes to how to collect, store, and process biometric data.
At least, they did until around 2017.
It was around 2017/2018 that discussion around the regulation of biometric data really went into overdrive. This was the result of a number of developments around the globe.
In China, the Cybersecurity Law came into force on 1st June 2017, including requirements around protecting biometric data privacy. China later passed the Personal Information Protection Law, which came into force November 2021. This means that businesses operating in China have clear obligations when it comes to biometric data.
Meanwhile, in India, conversations around data privacy stepped up a level in 2017 when the country’s Supreme Court ruled that privacy is a “fundamental right.” India collects biometric data, including ten fingerprints and two iris scans, from all residents over the age of 18. The country has been trying to pass a personal data protection law for years, with the latest draft – the Digital Personal Data Protection Bill, 2022 – due to be considered by the Parliament of India in the first half of 2023.
The broadest piece of legislation to date, when it comes to biometric data, is the GDPR, which came into force on 25th May 2018. Any entity that collects or processes the personal data of European Union (EU) residents has to comply with the GDPR, including its requirements around biometric data. The Regulation prohibits the processing of “special categories of personal data,” which includes biometric data, and protects EU citizens from the non-consensual sharing of their data.
GDPR obligations in practice
The GDPR’s prohibitions do not mean that companies cannot process biometric data at all. It simply means they have to meet certain conditions. These include the individual giving explicit consent for the processing of their data, legal claims, essential protection of the individual’s interests if they are incapable of giving consent, public interest reasons relating to public health and satisfying obligations under employment, social security and social protection law.
Biometric data regulations in the US
While all those who process the biometric data of EU residents must comply with the GDPR, there is no federal equivalent in the U.S. Instead, such protections are dealt with by state law, meaning businesses must comply with local regulations that differ depending on where they are based. Some larger firms also have self-regulatory guidelines agreed upon by the Federal Trade Commission. Any company that processes data belonging to EU residents naturally falls under the GDPR, as well.
The result is that some U.S. states have biometric data privacy laws while others don’t. Complicating matters is the fact that various governmental agencies do address the management of biometric data, at least to some degree. These include the National Institute of Standards and Technology, the Food and Drug Administration, the Federal Trade Commission and the Department of Health and Human Services through the Health Insurance Portability and Accountability Act (HIPAA).
Some of the leading regulatory progress in the US has been in California, which passed the California Consumer Privacy Act in June 2018 and the California Privacy Rights Act in November 2020. The two laws came into force on January 1st 2020 and January 1st 2023, respectively. Under Californian law, biometric data now warrants the same protection as other forms of personal information.
Between them, the GDPR and California’s legislation have influenced data protection laws in numerous other countries, including in relation to biometric data. Countries ranging from South Korea to Brazil have embraced this approach to data protection and regulation, with the latter’s General Data Protection Law (Lei Geral de Proteção de Dados) specifically including biometric data in its definition of sensitive personal data.
Compliance tips and best practices
Any business that collects biometric data must ensure that it complies with local requirements around protecting that data. It must also comply with industry-specific requirements, such as HIPAA for healthcare providers in the U.S.
This compliance starts with awareness. Before beginning to collect biometric data, the business needs to research and understand the legislation that applies to it. Next comes planning. Compliance with multiple pieces of legislation isn’t always easy, but a clear plan can help to identify what must be done and any potential issues, then lead on to a roadmap for meeting those obligations. Investing in this planning stage can help to save time and money further down the line.
When it comes to putting biometric data protection processes in place, businesses should ensure that they obtain proper consent and have a record of doing so. They should also ensure that they implement strong security measures that evolve to address evolving technology and threats. Companies should also ensure they have clear, robust data protection policies in place, alongside training for all staff.
After putting processes in place to ensure compliance, businesses then need to monitor these on an ongoing basis. This is to ensure that there are no breaches of compliance requirements and that any that do occur are reported in line with applicable requirements. Organizations under the jurisdiction of the GDPR, for example, have just 72 hours to report any breach to their supervisory authority.
Compliance can sometimes seem like a headache, with so many hoops to jump through. But compliance requirements exist for extremely important reasons. This is why every business must ensure that it takes all steps necessary to protect biometric data and meet the relevant compliance obligations.
About the author
Eva Kozar joined SEON Fraud Fighters in 2020, when it only had 20 fraud managers building this innovative and disruptive technology. Ever since then, she has supported SEON’s expansion success stories not only in LATAM but also in the rest of the world. Eva is passionate about travelling, cooking, and music.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.