Data privacy law regulating the collection and use of personal data has gradually begun to account for biometric data collected via facial recognition technology and other physical screening techniques. At least ten states (Arkansas, California, Colorado, Delaware, Illinois, Maryland, New York, Texas, Virginia, and Washington) have enacted laws regulating biometric data in some form. Many more have introduced legislation that includes biometric information within existing privacy law frameworks.[1] However, no state law fully accounts for the significant privacy concerns that arise from recording sensitive personal biometric data through a similarly evolving technological space: virtual reality (VR), augmented reality (AR), the metaverse, and other similar technologies (dubbed “immersive technology” by attorney Brittan Heller in her work in this area).[2]
Biometric law in the United States largely centers around data collected or recorded for identification or authentication purposes. Thus, advances in immersive technology hardware could create gaps in coverage for sensitive personal information gathered for other purposes. Immersive technology oftentimes depends on the collection and use of biometric data (like retinal scans and descriptions of physical features) to perform crucial functions of the technology itself.[3] Because of fundamental issues in the language of current and pending state biometric privacy laws, creators of these technologies can collect and potentially sell and misuse this information while evading legal sanctions.
As an example, Illinois’s Biometric Information Privacy Act (BIPA), effective since 2008, is the oldest and most robust biometric-specific law in the country. The law creates safeguards and procedures which regulate the collection, retention, and use of biometric data. However, even BIPA’s strong protections for biometric data privacy displays gaps and ambiguities that could allow immersive technologies to slip through the cracks.
In designating what data is covered under the statute, BIPA differentiates the terms “biometric identifier” and “biometric information.” A “biometric identifier” is defined in the statute as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”[4] Exclusions from this definition include “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color,” as well as various information and biological materials collected in a health care setting.[5] “Biometric information” is defined as “any information regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual [and] does not include information derived from items or procedures excluded under the definition of biometric identifiers.”[6]
Both the definitions of “biometric identifier” and “biometric information” are underinclusive and ambiguous as to how they might be applied to evolving immersive technology hardware. Additionally, the statute’s narrow definition of biometric data focuses only on information that is “used to identify an individual.”[7] This formulation potentially excludes physiological data that is recorded by immersive technology for other purposes (i.e., data which reveals undisclosed medical conditions, sexual preferences, etc.) from the class of protected information.
Over the past decade, many states have proposed legislation to enhance privacy protections for consumer biometric data and other personal information. Most of these laws are modeled after BIPA or subsequent legislation from other states like California, Washington, and Virginia.[8] Many states have also proposed bills that have stalled or failed at various stages of the legislative process.[9] There is no comprehensive federal law regulating biometrics, but legislation was proposed by Senators Jeff Merkley and Bernie Sanders in August 2020 that would impose similar requirements as those contained in BIPA.[10] The growing conversation around this issue indicates an increasing awareness of the inherent privacy concerns in this area. However, most, if not all, of the proposed bills regarding biometrics define biometric information using the same identity and commercial-based frameworks that existing state biometric laws employ. Thus, the same pitfalls and loopholes may still cause ambiguity and privacy concerns for consumers of immersive technology.[11]
Although more and more states are considering laws which protect and regulate biometric data, existing biometric laws do not adequately cover the unique privacy concerns presented by the immersive technology industry. An overhaul of the current legal framework surrounding the use, gathering, and storage of this type of information is needed to protect the privacy rights of consumers.
[1] https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
[2] https://scholarship.law.vanderbilt.edu/jetlaw/vol23/iss1/1/
[3] https://groups.inf.ed.ac.uk/tulips/papers/mathis2020chi2.pdf
[4] 740 Ill. Comp. Stat. Ann. 14/10 (2020).
[5] Id.
[6] Id.
[7] Id.
[8] https://pro.bloomberglaw.com/brief/biometric-data-privacy-laws-and-lawsuits/
[9] https://www.jdsupra.com/legalnews/the-state-of-proposed-biometrics-laws-7216766/
[10] https://pro.bloomberglaw.com/brief/biometric-data-privacy-laws-and-lawsuits/
[11] https://scholarship.law.vanderbilt.edu/jetlaw/vol23/iss1/1/