A bill proposed by House Speaker Rusty Bowers would make it illegal for a company to use biometric data for commercial purposes.
House Bill 2478 states that a person may not enroll an individual’s biometric information into a database for commercial use unless certain criteria are met. Anyone who violates the law could be fined up to $10,000 per violation and could face lawsuits as well. The Arizona Attorney General’s Office would also be authorized to investigate and penalize violations of the proposed law.
Companies or individuals would only be able to store a person’s biometric data if he or she gives consent for it to be stored. They also must give that person notice that his or her data will be stored to be used for commercial purposes.
The bill defines biometric data as “data that is generated by automatic measurements of an individual’s biological characteristics, including a fingerprint, voiceprint, retina, iris or other unique biological pattern or characteristic that is used to identify a specific individual.”
There are several exemptions in the speaker’s proposal. It would not include photographs or video taken of a person that is used for health care. The bill would not apply to biometric data used for law enforcement or security purposes. The bill defines security purposes as the prevention of theft, shoplifting, fraud, protecting the security or integrity of software, accounts, applications and other online services. And it wouldn’t stop any federal or court orders for biometric data.
“It’s a very in-depth bill,” Bowers told the Arizona Mirror, adding that he was hoping to have further talks with Gale about it. “I told her I’ve dropped it and now it’s time for her to come down and lobby for it.”
Gale did not respond to a request for comment and clarification on some parts of the bill.
Steven Zylstra, president and CEO of the Arizona Technology Council, said the bill seems fair on its face.
“We’ll just have to find out if we have any members here in Arizona that may have any issues with it,” Zylstra told the Mirror.
Zylstra said he is not aware of any commercial uses for biometric data that are not security related, but added that you can’t “underestimate how people might use something.”
Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, a non-profit that advocates for privacy and technological rights, has concerns about uses of biometric data that aren’t addressed by Bowers’ bill. For example, he noted that many stores are now beginning to implement biometric technologies that use facial recognition technology to compare a customer’s face with regulars or with mugshots.
Nonetheless, Schwartz was supportive of Bowers’ proposal, telling the Mirror, “It is good that an Arizona legislator wants to pass a law to protect biometric privacy.” Adam Schwartz.
The bill also states that biometric data necessary to a financial transaction or that would be used by a third party to complete a transaction would not be impacted. However, if such data was collected for a financial transaction, the bill would still bar companies or individuals from using it for other purposes.
There are some unanswered questions in the bill. It is not entirely clear how it would be enforced against a company that does not hold data in the state but has users within the state, such as Apple, whose phones can use fingerprint and facial recognition data to unlock them.
“It doesn’t have a strong enforcement mechanism,” Bowers said, “which is probably why Apple and Google are not coming at me with a lead pipe in the parking lot right now.”
Bowers said he couldn’t answer some of the Mirror’s more pointed questions about the bill as he was waiting to have another meeting with Gale to become “more informed” on the bill.
However, the wording of the bill put the responsibility on entities that collect this type of data, no matter where it is stored, according to Zylstra.
“The bill came as a bit of a surprise. None of use knew it was in the works,” Zylstra said, adding that it is an “example where the legislature is trying to get in front of something before its a problem, which is unusual.”
Biometric data has been under additional scrutiny lately as consumers have been paying closer attention to how their data is used in light of high profile data breaches.
Most recently, Google won a battle late last year after a federal court judge threw out a case that argued the company had broken an Illinois law that groups like the EFF have heralded as the model for any legislation around biometric privacy protections.
The Arizona bill is similar to the Illinois law, but differs from it in two very distinct places, according to Schwartz.
The Illinois law allows for private individuals to sue whereas the Arizona bill does not.
The Arizona bill, much like another similar law in Texas, relies on the the state’s attorney general to enforce the law. This worries privacy advocates like Schwartz who say you can’t rely on the government to provide adequate enforcement.
Many other consumer protection laws allow for individuals to sue because in many cases, government agencies may not have the adequate resources or time to fully investigate. Allowing consumers to take the responsibility themselves allows for better oversight, Schwartz said.
The other area it is lacking, according to Schwartz, is it’s failure to mention face surveillance.
Facial recognition was initially a technology used mostly by law enforcement, but is now creeping into other industries. Recently, singer Taylor Swift faced scrutiny after it was discovered she used the technology at her concerts to look for known stalkers.
Biometrics is not just about surveillance or consumer data. Biometrics have become the rage in the tech world lately as some see it as a more secure solution to protecting one’s personal information, under the theory being that a retina image, face or fingerprint is more unique and harder to recreate than a person’s password.
But biometrics are not unbreakable.
In 2017, security researchers in Japan showed that fingerprints could be lifted from photos of people giving the peace sign. Researchers recently were also able to bypass facial recognition by creating 3D printed copies of a subject’s head.
None of this is slowing down the use of the tech which is estimated to be used in up to $2 trillion in financial transactions by 2023, according to researchers.