Boarding a flight. Buying a coffee. Accessing a financial account. The number of actions or transactions that individuals can accomplish through the use of facial recognition, thumbprints, voiceprints, or other biometric information is varied and increasing.
Google Pay recently announced that it will authenticate payments through biometric confirmation in lieu of a PIN code. This summer, Walmart submitted a patent application for a blockchain currency that (according to the filing) in some cases “may act as a pre-approved biometric (e.g., fingerprint or eye pattern) credit.”
Meanwhile, multiple major Chinese payment companies verify payments through facial recognition with even more start-ups seeking to enter this space.
Biometrics in Multi-Factor Authentication
Payment providers can use biometric information to enable multi-factor authentication—a system of verification that requires the use of at least two of the following types of information: something the user knows, something the user has, or something the user is. Biometric information is what a user is, and requiring users provide biometric information along with a password (something the user knows) can enhance security.
But the increasing prevalence (and relative lack of regulation) of biometric authentication has led many to ask the obvious question: What happens when the personal information compromised is something the user cannot readily change, such as the user’s face or fingerprints?
Security and data breach considerations are obvious and important. But beyond the inherent risk of relying on immutable biometric information to verify consumers’ identities, companies should be aware of the legal and regulatory framework governing its use—and how that framework may change in the near future.
U.S. Biometric Information Laws
Unsurprisingly, the United States has a patchwork of federal and state laws that may apply to biometric payment processing. Three states—Illinois, Texas, and Washington—already have statutes specifically addressing how companies may collect, use, and retain biometric information.
Illinois Biometric Information Privacy Act
The Illinois Biometric Information Privacy Act (BIPA), for instance, requires any private entity collecting such information to provide notice and obtain a written release from an individual before collecting that person’s biometric information (or a biometric “identifier,” which is separately defined by the statute).
BIPA does not rely on regulatory enforcement but has a private right of action that has been construed to provide broad relief. Earlier this year, the Illinois Supreme Court clarified that a violation of the statute, without an additional showing of harm, is sufficient to state a claim.
California Consumer Privacy Act
Beyond state laws specific to biometric information, the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, is a comprehensive data privacy law that includes biometric information in its extremely broad definition of “personal information” subject to the statute.
At the federal level, the Gramm-Leach-Bliley Act (GLBA) may apply in lieu of state laws in certain scenarios, but companies should not assume that it will apply in every case. GLBA applies only to financial institutions and protects “personally identifiable financial information,” which includes information that:
- Individuals provide to receive a financial product or service;
- Information about an individual from transactions involving financial products or services; or
- Information about individuals received in connection with providing financial products or services.
Thus, GLBA could capture biometric information used to verify payments in certain circumstances. In addition, the FTC has offered guidance, issuing general best practices in 2012 for the use of facial recognition and more recently suggesting that consumers use multi-factor authentication (including enabling verification through biometric information such as fingerprints) for peer-to-peer payment systems and mobile applications.
EU Laws on Biometric Identification
The legal and regulatory considerations multiply as payments cross borders. Under the European Union’s General Data Protection Regulation (GDPR), biometric information used for identification—which is how biometric information is generally used in the payments space—is a special category of personal data that requires an additional condition for processing (beyond the required legal basis).
Although one of the options on the list of additional conditions is obtaining the explicit consent of the data subject, companies should remember that the GDPR has stringent requirements for consent—i.e., it must be freely given, specific, and “informed”—and explicit consent seems to require something more than this.
Companies that want to employ biometric information for use cases beyond payments also should be aware that the right to be informed means, at a minimum, that data subjects must receive information regarding the purpose of processing, the type of data to be collected and used, and (if applicable) information about the use of the data for automated decision-making.
There are indications that Europe may go even further in regulating the use of facial recognition. As reported by the Financial Times this summer, the EU is planning “sweeping” regulation of facial recognition. The concerns underlying such potential regulation appear to relate to large-scale use of facial recognition technology, particularly in public spaces, but it is not difficult to see potential application to the use of biometric information in payments.
This is particularly relevant because the EU’s revised Payment Services Directive (PSD2), which went into effect in September 2019, included new, stronger security requirements for electronic payments—which may increase the use of biometric information for verification.
Regulatory Challenges for Biometric Technology
Additional payment security requirements may be on a collision course with privacy and data protection legislation that governs the use of biometric information. As the use of facial recognition increases, companies should be aware of pre-existing regulations—both those that target biometric information and those that address comprehensive privacy, data protection, or payments more broadly—as well as those on the horizon from privacy and financial regulators.