Legal 02 Sep 2021

Personal data, BIPA, and voice biometrics -- can they coexist?

Important considerations
By Peter S

What is Personal Data?

There are many definitions for what constitutes Personal Data. We offer a paraphrased version here: "personal data is any information about an individual which includes any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; AND any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."

Why is Personal Data Important?

As noted above, and in our review of many publicly available definitions for Personal Data, there are always explicit references to biometric data when discussing Personal Data. Voice biometrics technology companies such as IngenID therefore spend significant amounts of time and resources to address Personal Data privacy, protection, and related concerns.

Most responsible companies go to great lengths to protect the social security numbers, credit card numbers, birth dates, and other Personal Data of their customers. IngenID is no different; however, we not only protect the biometric information of our clients' end customers, we also spend a lot of time with our clients on education, communications, data retention policies, written policies, and other related topics. The loss of Personal Data can be catastrophic for individuals, clients, and service providers such as IngenID. So, we work hard to do everything we can to protect Personal Data and make sure our clients and their end users are aware of the issues, policies, etc.

What is BIPA?

The term "BIPA" is an acronym for "Biometric Information Privacy Act". If you Google the term "BIPA" you will quickly discover that there are many past and current multi-million dollar class action lawsuits impacting many very large companies who have collected biometric data from their employees and/or customers. This is particularly true in the State of Illinois, which is where most BIPA lawsuits are concentrated. However, many states have BIPA statutes, and many more are proposing or considering them.

This article is not intended to be a legal review. However, for those of you who are interested, the Illinois BIPA Statute can be found here.

Can We Coexist?

YES, but ... You must become educated about the issues and proceed with caution! The mere presence of multi-million dollar lawsuits could be enough to scare away many companies and service providers from using biometrics. At the same time, the value of biometric authentication is increasing as fraudsters are becoming increasingly sophisticated. Fortunately, with careful planning, good policy making, proper documentation, and open communications among all parties -- you can successfully use biometrics and minimize potential legal exposure.

Where to Begin

We'll start by saying that this article is NOT a substitute for legal guidance, nor does following the recommendations below guarantee to keep you lawsuit free. In the United States, almost any company can be sued at any time for just about anything. Our focus here is to outline key steps to take if you are considering using voice biometrics (or any biometrics for that matter).

Some Recommendations

The following list is by no means exhaustive. However, it should serve to provide you with a solid foundation for how to proceed when planning to deploy voice biometric technology anywhere within your organization.

  • Get Legal Guidance. Specifically, seek a firm who has experience with BIPA statutes and other Personal Data laws and statutes. This should be your very first step. It's important to understand ALL local, state, and federal laws where plan to operate with biometrics.

  • Check Insurance Coverages. Depending on your industry and insurance policy, you may have some protection for loss of Personal Data or fee coverage for lawsuits. If possible, see if you can obtain Cyber Insurance coverage. Relative to some of the class action settlement amounts that are being paid by defendants, insurance premiums are a bargain.

  • Develop Personal Data Handling Policy. Your InfoSec policies may already address how all Personal Data is to be handled. But relative to biometric data, it's worth diving into the details and making sure you have an iron-clad plan. How much biometric data do you need to keep? Where will you keep your biometric data? Will you share the biometric data with any 3rd parties? Best practices state that you should only keep the data that you truly need, and delete or scrub data as soon as it is not needed. Also, your data should be encrypted in transit and at rest. And, you should never share biometric data outside of your own organization.

  • Develop or Expand Privacy Policy. If you don't have a Privacy Policy that specifically addresses your Personal Data Handling Policy, then develop one. Make sure your Privacy Policy is published on your website and is easily found and understandable by your end users. Clear communications are critical.

  • Obtain End User Consent. This is perhaps the single biggest reason behind BIPA lawsuits -- companies fail to get informed, written consent from end users BEFORE collecting their biometric data. You'll need to check with your legal advisor to determine exactly what "written" means, and what the best and clearest terminology is for your use case. However, in many cases, a clear statement of why you are collecting the biometric data, how long you need to keep it, how it is being protected, your data sharing policy, etc., along with electronic agreement and attestation from the end user (i.e., "I grant consent/agree" or "I revoke consent/disagree"), with a time-date stamp may be sufficient.

  • Plan to Communicate. To the extent possible, end users should be informed about your use of voice biometrics -- before you are asking for their consent. Include information on your website, with monthly billing statements, in company FAQs, etc. There are significant advantages to using voice biometrics, so let them know your reasoning -- and make all policies clear and easy to understand.

  • Plan to Train Staff. The use of voice biometrics is new to many people, so there WILL be questions. You need to train your support staff and anyone who may interact with your end users. Staff should be able to articulate the benefits of the technology (i.e., faster authentication, better security for their account, etc.), help them troubleshoot common problems, etc. Again, this is not a BIPA-specific recommendation, but clear communications and training will be helpful.

  • Make Consent Variable. [Optional] Consent being granted or revoked should not be considered a one-time or static event. An end user may grant consent and then at a later point decide that they want to revoke consent. Or, vice versa. You should develop your application(s) to allow for variable consent for end users -- even allowing end users to change consent daily if desired. This is a conservative recommendation, but one that could spare you headaches in the future.

  • Allow Private Data to Be Returned. [Optional] Consent management is part of the equation. Another part to consider is returning Personal Data that you've collected to your end users. This "right" is mandated by the European Union's General Data Protection Regulation (GDPR). And while not specifically mentioned in BIPA, this is the direction things seem to be going globally. So, make sure your applications have the ability to give end users their data back.

    NOTE: In the case of IngenID and our voice biometric data, end user speech samples are sent to us by our client applications -- NOT voiceprints. So, we support providing end users their original speech samples (subject to the client's data retention policy). However, voiceprints are created, maintained, and destroyed 100% within the IngenID One™ Platform. At no time do voiceprints ever leave our system, nor are they ever shared.

Closing Comments

As this article demonstrates, there are many things to consider when planning to deploy voice biometrics. However, much of what we've covered here could apply to credit card data, healthcare records, or other highly sensitive Personal Data. Working with an experienced legal team, developing clear and easy to understand policies, communicating clearly and openly with your end users, and obtaining their consent -- will all go a long way toward minimizing legal risk.

Finally, should you have any questions about how IngenID specifically helps its clients navigate these issues, please Contact Us.