TheTrucker.com

Who ‘owns’ the fingerprints, facial scans used to log into cellphones?

Reading Time: 4 minutes
Who ‘owns’ the fingerprints, facial scans used to log into cellphones?

Brad Klepper is busy helping drivers with traffic violations this month, so we’ve pulled this still-relevant column, which originally ran in the Feb. 1, 2022, edition of The Trucker.

As you may have figured out through reading these columns, I’m not a big social media guy. Sure, I write these articles — and I’m on LinkedIn and my business has a Facebook page and the other things — but not me personally.

My goal is to have zero personal information on the internet. I’m losing this battle, I know, but I’m trying. In fact, my entire social media presence (or lack thereof) is based on a few assumptions.

First, nobody in the world cares about or wants to see pictures of my family, my dogs or what I ate for dinner last night. Nobody. Moreover, if we really wanted to stay in contact after grade school, middle school or high school, we would have, looking at your Facebook (or Meta).

Second, my sense of humor is a tad bit warped and can be more than a little dark. So, the chances of me posting something in less than 150 characters that could offend the entire world is very real, and would likely occur. In fact, I would set the over/under prediction at this occurring at three posts. Accordingly, Twitter is out of the picture.

Third, the thought of creating a video story or posting pictures and other images on Instagram, TikTok or any other app just sounds exhausting. I like to lie to myself and say I work hard at my job, and, at the end of the day, I just want to spend time with my family and dogs and relax. Creating something for an app just does not appeal to me, and I am amazed at the time people have to devote to this endeavor.

So, we have basically established that I’m a social-media curmudgeon. And I’m cool with that. I don’t want an internet presence, and I definitely don’t want anyone to track me or use my personal information.

Well, as I was surfing the internet the other day, I ran across an article about a company that was misusing a person’s biometric data. As I’m obviously a big privacy guy and don’t want any internet presence, this intrigued me.

A bit of background info: Biometric information is data based on things such as your fingerprints, a retina scan, voiceprint, hand scan or facial scanning. Now that you know what biometric information includes, think of how often you use it. Off the top of my head, my phone recognizes both my face and fingerprint to unlock it, and I have at least a half dozen apps that use my thumbprint as my sign-in.

The more I thought about it, the more I wondered what, if any, laws exist to protect all this information companies have acquired about me. Well, the good news is that five states have some type of biometric privacy laws already on the books. The better news is that the majority of the remaining states have pending legislation to address this issue.

In 2008, Illinois became the first state to enact a Biometric Information Privacy Act (BIPA) to govern the collection, use, handling, storage, retention and destruction of biometric data by businesses. In short, the Illinois version of BIPA covers any biometric data, regardless of how it’s captured. So, your fingerprint used to open an app, or your facial scan used to unlock your phone are covered — but it also includes publicly available information about an individual. This would include taking pictures of people in public, or even gathering info from a public photograph.

In addition, BIPA applies, regardless of how the information is converted or stored. For what it’s worth, most fingerprint scans are converted to an algorithm. This algorithm can’t be reverse engineered to re-create the fingerprint. So, even if there’s no risk of harm to the individual, a business can still be liable for statutory damages based on its use of the information.

OK, so we know some states have statutes in place to protect the use of biometric data … but how can companies use this without running afoul of the law? Generally, there are four things a business must do to be in compliance.

First, before collecting any biometric data a business must have a written policy in place that covers, among other things, the retention period and guidelines for the destruction of such information. This policy must be publicly available.

Second, a business must provide you with written notice that the information is being collected and provide the reason for the collection, describe the length of time that the information will be stored and used, etc. This is often found in the “terms of use” that you must acknowledge before you can use an app. I know … I don’t read those things either.

Third, a business must take steps to ensure the security of the information collected. It should also regularly review the need to retain such information and ensure that it’s deleted when it is no longer required.

Finally, generally speaking, a business may not disclose any information to a third party without your express permission. Of course, a business may disclose parties with whom the information may be shared at the point of collection. Remember the “Terms of Use” agreement? Yeah, look in there.

Now, what if the business violates BIPA? Well, in Illinois the base statutory damages start at $1,000 per violation and increase to $5,000 for intentional or reckless violation.

Well, you may ask, what is the big deal you? My fingerprint or retina scan is not that big a deal. I would disagree.

Your biometric data is yours and yours alone. While I enjoy the convenience of being able to log in to apps and my phone with this information, I don’t want it to be sold or used for commercial purposes without my consent.

Moreover, this information can be used to track and monitor people without their consent. As I mentioned earlier, I don’t even want to have a social media presence — much less have companies tracking my movements through facial-recognition software, fingerprints or voiceprints.

This type of information is ripe for misuse. As a result, I think it is important that all states adopt some type of biometric information privacy legislation as soon as possible.

Brad Klepper is president of Interstate Trucker Ltd. and is also president of Driver’s Legal Plan, which allows member drivers access to services at discounted rates. For more information, contact him at 800-333-DRIVE (3748) or interstatetrucker.com and driverslegalplan.com.

Brad Klepper

Brad Klepper is president of Interstate Trucker Ltd., a law firm entirely dedicated to legal defense of the nation’s commercial drivers. Brad is also president of Driver’s Legal Plan, which allows member drivers access to his firm’s services at discounted rates. For more information, contact him at (800) 333-DRIVE (3748) or interstatetrucker.com and driverslegalplan.com.

Avatar for Brad Klepper
Brad Klepper is president of Interstate Trucker Ltd., a law firm entirely dedicated to legal defense of the nation’s commercial drivers. Brad is also president of Driver’s Legal Plan, which allows member drivers access to his firm’s services at discounted rates. For more information, contact him at (800) 333-DRIVE (3748) or interstatetrucker.com and driverslegalplan.com.
For over 30 years, the objective of The Trucker editorial team has been to produce content focused on truck drivers that is relevant, objective and engaging. After reading this article, feel free to leave a comment about this article or the topics covered in this article for the author or the other readers to enjoy. Let them know what you think! We always enjoy hearing from our readers.

COMMENT ON THIS ARTICLE