print   email   Share

Biometrics: Think Twice Before You Use Them

A panel of three judges recently denied Facebook's appeal to halt a class action lawsuit filed against it in 2015. The lawsuit alleges that individuals in Illinois did not give consent for Facebook's facial recognition technology to use their photos.

Facebook began using facial recognition software in 2011 when it asked users to identify friends in the photos they posted. One of the panel judges stated that it "seems likely" that the technology could be used to identify a person for surveillance or to unlock a device using biometric data.

Facebook had sought to have the case heard en banc by the complete panel of the judges of the U.S. Court of Appeals for the Ninth Circuit.

The class includes around seven million individuals. Facebook could face fines of $1,000 to $5,000 for each penalty, which could add up to as much as $35 billion. PYMNTS "Facebook Facing $35B Fine Over Facial Recognition Lawsuit" (Oct. 18, 2019).


Always weigh the need for new technology against any privacy risks it creates before starting to use face or voice recognition software, biometric data log ins, or other technology that involves personal data.

The more personal data your organization collects and stores, the more risk you face related to a data breach or allegations of privacy violations.

Also make sure you know your state and local laws concerning the use of personal and biometric data. Several states have passed regulations governing biometric identifiers. Organizations should also be aware that some insurance providers do not cover biometric data law violations.

Do not collect, use, or store biometric data in either a consumer or employment context until you have worked with your legal counsel to confirm that your use of technology does not violate local, state, or federal guidelines.

If, after a thorough evaluation, you decide to implement technology to collect, use, or store retina or iris scans, fingerprints, voiceprints, or hand or face geometry scans, your organization must follow strict guidelines concerning this data.

Always provide written notice and received informed written consent before collecting biometric identifiers. Publish your document retention policy for biometric data. Keep this data secure using the latest cybersecurity measures. Destroy biometric data after the purpose for its collection is satisfied and obtain additional consent before sharing biometric information with a third party.

Finally, your opinion is important to us. Please complete the opinion survey: