Privacy group says data protections by US states differ greatly
Looking at the rising number of biometric privacy bills being floated by U.S. states, some civil liberties advocates are concerned that too many lack substantive consumer data protections.
As it happens, two of those states, Illinois and Maine, are working on biometrics legislation. One is (so far, at least) a stake-in-the-ground bill but the other does not spare the printer paper in suggesting restrictions on the use of consumer identifiers.
In Illinois, birthplace of the landmark Biometric Information Privacy Act, some lawmakers have proposed the Digital Voice and Likeness Protection Act, which would be applied retroactively.
While it has only recently been introduced, the Voice and Likeness Act focuses on how to properly transact a deepfake agreement.
The legislation would make it illegal to create and use a deepfake for something that the subject would normally have done. And anyone wanting to use synthetic identifiers would have to be clear in disclosing all proposed uses of them. Last, the subject would have to be adequately represented in the transaction.
That’s just about all the act has to say at this point and, as such, likely would not be rated highly by EPIC, the Electronic Privacy Information Center. The advocacy group has issued a report critical of state privacy law efficacy.
Nonprofit public interest group the U.S. PIRG joined EPIC with the report. Privacy legislation is categorized differently in the industry, which likely explains why Illinois is not one of 14 states analyzed for the report.
Enacted laws in nine states received poor or failing grades in the report. Iowa’s effort was rated four out of 100. The top-ranked law was in California, and it scored a not-so-respectable 69.
Strong legislation, the groups say, must require data-minimization obligations. It has to regulate all uses of biometrics data and create strong civil rights safeguards. Strong regulatory and enforcement powers must be enacted. And consumers must be able to take violators to court.
Without a thorough analysis of Maine’s Voice and Likeness legislation, it is difficult to say how closely it hews with the report’s guidelines. But that’s only because the act is dense with rules, definitions and remedies.
It covers several categories of consumer privacy with a focus on protection of all biometric identifiers. It also addresses protections for children under the age of 18.
The core of the document would be familiar to anyone who has read Illinois’ BIPA. Consent is required. Retaliation against someone covered by the law who refuses to give consent is prohibited, and the like.
But the details for privacy are unusually deep. Companies would have to have privacy policies, design evaluations, retention schedules and algorithm risk assessments.
For example, companies would be required to “mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service provider, including in the design, development and implementation of those products and services, taking into account the role of the covered entity or service provider and the information available to it”.
Article Topics
biometric data | biometric identifiers | Biometric Information Privacy Act (BIPA) | data protection | EPIC | legislation | United States
Comments