Biometric Data Processing Regulatory Overview
Biometric Data Processing Regulatory Overview
The use of Netradyne’s Visual Login System (VLS) may constitute processing of biometric data in some jurisdictions. The contents of this page provide a limited overview of regulatory requirements associated with biometric data.
Note: The contents of this section should not be construed as legal advice or a substitute for legal advice. While Netradyne attempts to provide relevant and current information regarding regulatory requirements that apply to the processing of biometric data, it makes no claims that the information provided here is exhaustive, current, or adequate. Similarly, Netradyne makes no claims that the sample consent form or the Biometric Information Policy provided by Netradyne are sufficient to comply with all applicable legal and regulatory requirements in your jurisdiction. It is imperative to seek definitive legal advice and check applicability of different laws in your region before enabling the VLS feature.
U.S. Requirements for VLS
Last Updated: 07/2023
In the United States, Texas, Illinois, and Washington are currently the only states with dedicated biometric privacy laws. However, many states have expanded their comprehensive privacy laws, placing restrictions on the collection, use, retention, and sharing of biometric information. The City of Portland has also passed an ordinance that prohibits certain uses of facial recognition technologies. If you choose to enable the Visual Login System (VLS), those laws might apply to your use of VLS.
Presented below is a summary of existing and proposed biometric privacy laws in some of the states. The law in this area is changing rapidly, and the information provided is not intended to be a substitute for legal advice. If you have any questions, please contact privacy@netradyne.com.
Existing Legislations- Summary of Key Requirements
Illinois
(740 ILCS 14/) Biometric Information Privacy Act
The law requires entities in possession of biometric identifiers or biometric information to comply with certain requirements-
- Provide a notice to individuals, whose biometric information is to be collected, informing them of the specific purposes and duration for which biometric information will be collected, stored, or used.
- Obtain a written release from the individuals to proceed with the collection or disclosure of the biometric information.
- Make available to the public a written policy establishing the retention schedule and guidelines for permanently destroying biometric information.
Texas
Texas Business and Commerce Code Sec. 503.001.
Entity capturing a biometric identifier of an individual for a commercial purpose is required to-
- Notify the individual before capturing the biometric identifier and obtain the individual’s consent to capture the biometric identifier.
- Protect the data from disclosure using reasonable measures.
- Destroy biometric identifiers within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the biometric information expires.
Washington
Wash. Rev. Code § 19.375.010 et seq.
- A person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.
City of Portland
Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050
- The ordinance prohibits a Private Entity from using Face Recognition Technologies in Places of Public Accommodation within the boundaries of the City of Portland.
Proposed Legislations- Summary of Key Requirements
Arizona
- Private entities must develop a public written policy establishing retention schedule and destruction guidelines for biometric information.
- Private entities must obtain informed written consent from individuals prior to collection of their biometric information.
- Biometric information must be destroyed upon the earlier of (1) satisfaction of the purpose for collecting the information; or (2) within 3 years of the relevant individual’s last interaction with the entity.
Connecticut
- Any entity using facial recognition technology to identify customers and guests in a public space must post a clear disclosure of such use.
Hawaii
- Private entities must develop a public written policy establishing retention schedule and destruction guidelines for biometric information.
- Private entities must obtain informed written consent from individuals prior to collection of their biometric information.
- Biometric information must be destroyed upon the earlier of (1) satisfaction of the purpose for collecting the information; or (2) within 3 years of the relevant individual’s last interaction with the entity.
Maryland
- Private entities must develop a public written policy establishing retention schedule and destruction guidelines for biometric information.
- Private entities must obtain informed written consent from individuals prior to collection of their biometric information.
- Biometric information must be destroyed upon the earlier of (1) satisfaction of the purpose for collecting the information; or (2) within 3 years of the relevant individual’s last interaction with the entity; or (3) within 30 days after receiving a request to delete an individual’s data.
- Act would take effect on October 1, 2023
Massachusetts
2023 MA S.B. 195
- Private entities must develop a public written policy establishing retention schedule and destruction guidelines for biometric information.
- Private entities must obtain informed written consent from individuals prior to collection of their biometric information.
- Biometric information must be destroyed upon the earliest of (1) satisfaction of the purpose for collecting said information or (2) within 1 year of the relevant individual’s last interaction with the entity.
Similar bills have been proposed in Minnesota, Missouri, Montana, Nevada, New Jersey, Pennsylvania and Tennessee.
The collection and use of biometric information is covered by comprehensive state privacy laws including California, Colorado, Virginia, Connecticut, and Utah. The privacy laws in these states regulate biometric information as a form of “sensitive” information.
Most of the laws/bills stress on the following key requirements-
- Provide notice and obtain consent from individuals.
- Develop a written policy establishing a retention schedule and guidelines for destruction of biometric data.
UK/EU Requirements for VLS
Last Updated: 07/2023
Summary of Key Requirements
The use of VLS in EU is primarily regulated by the provisions of the EU General Data Protection Regulation (GDPR).
- The GDPR treats “biometric data” as a special category of personal data and therefore requires due consideration to the principles of lawfulness, necessity, proportionality and data minimization.
- Controllers should first assess the impact on fundamental rights and freedoms and consider less intrusive means to achieve their legitimate purpose of the processing.
- The use of biometric recognition functionality by private entities for their own purposes (e.g. marketing, statistical, or even security) will, in most cases, require explicit consent from all data subjects (Article 9 (2) (a) GDPR), however another suitable exception in Article 9 could also be applicable.
- The use of VLS in some EU countries might also require assessing specific video-surveillance laws or employment laws in that country. In these EU countries, for companies that have a Works Council, the use of VLS may be subject to prior approval by the Works Council.
- A Data Protection Impact Assessment (DPIA) should be conducted to assess impact on the rights and freedoms of the drivers. The assessment scope should include VLS.
- Netradyne recommends notifying drivers of the purposes of processing their personal data. It is advisable that in addition to providing a detailed privacy notice, privacy stickers be used inside the vehicles to notify drivers of their personal data (including biometric data, as applicable) being processed.
- Netradyne recommends obtaining informed consent from all drivers before enabling VLS in UK/EU.
If you have any questions, please contact privacy@netradyne.com.
Canadian Requirements for VLS
Last Updated: 07/2023
Summary of Key Canadian Privacy Law Requirements
- As with the EU GDPR, Canadian privacy laws consider biometric information to be sensitive personal information. Thus, entities wishing to process such data must generally obtain informed and explicit consent to do so.
- A Privacy Impact Assessment (PIA) should be conducted to assess privacy impact on individuals. Canadian privacy laws require that the collection and use of personal information be limited to what is reasonable and necessary in the circumstances.
- Due consideration should be given to principles of data minimization, retention limitation, data subject rights, transparency and data security.
- Quebec has more stringent requirements associated with biometric data processing. The creation of a database of biometric characteristics or measures must be disclosed to the Commission d’accès à l’information (CAI), no later than 60 days before such database is put into operation.
If you have any questions, please contact privacy@netradyne.com.