Consider a biometrically enabled day: Your face unlocks your phone, and your fingerprint unlocks your car. You scan your palm to purchase your groceries. Your iris is scanned to verify your identity at TSA pre-check. Consumers are becoming more accustomed to the everyday use of biometric data, with businesses, including automakers, embracing technologies that collect and use it.
Biometric data includes physiological, biological, and behavioral characteristics that uniquely identify us as individuals. Given this sensitivity, there has been heightened attention to the use of biometric technology, including in advanced vehicle features and services that require collection, use, and sharing of biometric data. Consumers should be cautious.
In response, state and local legislators have passed an array of consumer protection laws geared to protect biometric data, including Illinois, Texas, and Washington. Illinois’ Biometric Information Privacy Act is the most well-known because of its private right of action, which the plaintiffs’ bar has used extensively and successfully.
All 19 comprehensive state privacy laws—in effect or otherwise coming into effect—regulate biometric data as a category of state-regulated personal information. Health data laws in Washington and Nevada regulate biometric data as part of their broader focus.
New York City requires commercial establishments to provide notice to customers when processing biometric data and prohibits profiting off of or obtaining value from such information. Portland, Ore., outright bans private entities’ use of facial recognition technology in places of public accommodation, with no consent exception. This means facial scanners used by retailers to identify perceived shoplifters are prohibited in the city.
Despite the difficulty of navigating the patchwork of laws, automakers continue to innovate use of biometric data with the goals of greater security, privacy, safety, convenience, and personalization. Balancing the risks and benefits will be essential to continued use of the technology.
Such data can provide certainty in identifying individuals. For example, a fingerprint or iris can replace a key fob or phone app for lock/unlock capabilities, eliminating reliance on another device to open the vehicle and technological exploits that currently plague keyless entry—relay attacks, signal interception, and spoofing. Using a fingerprint or iris scan, coupled with protective security measures and consumer transparency, could bolster security against auto theft.
Consider the impact biometric data analysis can have on road safety by preventing intoxicated driving, driver fatigue, and health-related incidents that may otherwise impair driving, such as heart attack, stroke, or seizure. Also, biometric data substantially increases protection of private information by alleviating risks associated with a previous user’s settings that weren’t removed, such as in a rental car.
As more biometric data technologies become integrated in cars, including hands-free capabilities, drivers will have a wider menu of personalized conveniences and fewer driving distractions—a major cause of accidents today.
Using biometric data in cars creates consumer benefits of safety, privacy, security, convenience, and personalization, but the collection of biometric data also brings risks. If a bad actor is clever enough to steal one’s facial metrics, fingerprint ridges, or other biometric data, remediating such unauthorized use is difficult. You can’t replace a fingerprint, iris, or facial contours. Replacing a regular key that isn’t connected to your person merely imposes hassle and cost.
There is also the risk of false negatives or positives in using biometric data. However, authentication through facial recognition scanners has become significantly more rapid and accurate thanks to artificial intelligence and language learning models. Will narrowing error margins increase consumer and regulatory acceptance? Will criticism of this improvement slow acceptance?
Risks of unreliability exist today. Biometric scanners that allow entry into one’s car must function even when faced with a dead battery, dirty scanner, background noise, or inevitable environmental changes, such as varied light and weather. Continuous improvement in technology is critical to reduce unreliability and increase consumer acceptance of biometric data technology.
Consumers must consider that automakers may be legally required to share biometric data they’ve collected and retained with law enforcement in limited circumstances, without notice to or consent from the consumer—a potential risk to individual privacy.
To mitigate risks, automakers must implement and maintain strong data governance frameworks. This includes collection, use, and retention of only data sets necessary to provide a feature or service; robust and comprehensive security measures; legally acceptable mechanisms to obtain consent from drivers and passengers for the collection and processing of biometric data; processes to avoid inadvertent collection of biometric data of non-drivers and non-passengers; data protection impact assessments; data retention policies; and privacy by design products and services.
For example, privacy by design allows automakers to intricately build privacy and data security measures into products and services from conception, implementation, and throughout the lifespan of the product or service. Similarly, data protection impact assessments shed light on risks associated with the use of such products and services allowing automakers to address and mitigate those risks in a timely manner.
Consumer opinion will ultimately decide where the benefits outweigh the risks. Stronger security, greater personalization and convenience, and improved road safety are significant benefits of biometric data. But given the legal landscape and some valid criticism of its collection and use, businesses that launch products and services reliant on biometric data should mitigate risks and educate their consumers about their efforts to create a secure environment.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Allison Cohen is of counsel at Loeb & Loeb and advises on a full spectrum of issues and transactions related to privacy, security, dealer franchise and marketing.
Teodoro “Teddy” Shelby is an associate at Loeb & Loeb and handles data privacy compliance and transactional matters across an array of industries.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.