When using or considering adopting biometric authentication, you’re dealing with extremely sensitive information about a person, a human being. A key piece of responsibly innovating with biometrics is maintaining consumer privacy, given the level of sensitive information that a customer or employee is entrusting you with.
When privacy is upheld, this creates and preserves consumer trust in your company. The following is a practical exploration of what modern consumer privacy entails and some guiding principles.
What kind of data is consumer data?
When we think about the most common consumer data, the following comes to mind: a person’s legal name, their social security number or the equivalent, bank information and medical information (and of course, any sort of encrypted biometric data).
However, the information that’s actually collected by businesses involves virtually everything about a person, even the most seemingly mundane: their google searches, activity on each web page they visit, product preferences, familial status, attitudes towards a variety of topics, and much more. People ostensibly have a sort of “shadow version” of themselves that’s made up of all of this data that they leave behind on the internet.
Why does consumer privacy matter?
On a philosophical level, privacy allows a person the freedom to be their complete self. In fact, in 1948 the U.N. added it to their list of “Universal Declaration of Human Rights.” Personal privacy has been codified as a right to the protection of the law against any kind of violation or encroachment upon one's privacy.
Practically speaking, strong privacy regulations and practices protects today’s consumers from misuse and theft of their data. On the flip side, privacy can empower consumers to decide how their data is collected and used, like the European GDPR enforcing the cookies rule, which lets website visitors determine the kind of data that the website host is allowed to collect about them.
Privacy is essential for a successful biometric system. Without it, people may not feel comfortable adopting it.
Ideally, the person being identified by biometrics chooses the very moment of identification and authentication. They should proactively trigger the process, versus another person or a company doing it for them. For example, this can look like a person taking a step up to the palm vein scanner and hovering or waving their palm over it.
What are the best practices for protecting consumer data?
Maureen Ohlausen, former Acting Chair of the Federal Trade Commission states the following:
“Consumers should be provided clarity and visibility into companies’ data collection, use, and sharing practices, as well as easily understandable choices regarding these practices, calibrated to the sensitivity of that data.”
Strong consumer rights
Data collection - people should have the right to request what personal data companies are storing and request companies to delete the data as well.
Opt-in consent - companies should ask their consumers if they can share or sell their data to third parties.
Data non-discrimination - companies shouldn’t increase prices for those want to protect their privacy, or offer discounts in exchange for more data.
Data Minimization - companies should take the least amount of data needed from consumers.
Moment of choice - as mentioned above, a person should actively choose to be identified, rather than being surveilled from a distance.
What regulations should my company be aware of?
GDPR: The General Data Protection Regulation is the most well known, comprehensive privacy and security regulation to date. It’s a regulation in EU law that applies to companies operating in the EU or European Economic Area, or storing and processing the data of EU citizens. Since its infancy, countries enforcing this law have given substantial fines to the biggest tech companies in the world for non-compliance.
CCPA: The California Consumer Protection Act gives Californians rights to exercise control over how companies collect and use their data. This includes the right to know what data a company collects of theirs, the right to have their data deleted, and the right to opt out of their data being sold or processed. This applies to businesses operating in California or those who process and store the data of Californians.
BIPA: The Biometric Information Privacy Act ensures that people living in the state of Illinois have control over their biometric data. Private companies seeking to collect biometric data from those living in Illinois must inform the individual about what biometric data they’re collecting, the purpose of procuring the data, how long they’ll store it ( among other details), and also ask for consent first.
If your business operates or serves people on different continents from those above, you can check out our privacy ebook to learn additional information about other global regulations.
What are the pitfalls to avoid?
Often as a result, people tend to agree to policies that they actually don’t know about or understand. They lack the knowledge to exercise control over their data or hold companies accountable for responsibly using and storing their data.
Another best practice is to seek applicable accreditations for your business, such as SOC, that will help you build a comprehensive compliance framework. Although these audits often require a lot of work and some financial cost, they help ensure that your business is trusted by consumers and partners alike.
Privacy is profitable
Creating strong customer privacy practices not only serves your customers— privacy truly is good for business. Apple proved this when they rolled out a new privacy feature in 2021, which lets customers opt out of advertisers tracking them on their mobile apps.
According to the New York Times, after Apple rolled out their privacy feature they experienced the following:
“Despite supply chain disruptions, Apple said that sales of iPhones totaled $71.6 billion, up 9 percent from a year earlier. The smartphone maker reported an 11 percent increase in revenue and a 20 percent jump in profit.”
If you’re curious to learn more about privacy in biometrics, don’t hesitate to reach out. We’d love to point you towards more valuable resources to make your path to strong privacy clearer.