While progress has been made in data privacy regulation this year, with many states introducing innovations in comprehensive privacy legal frameworks, efforts to regulate biometric data privacy are slowing as states focus on artificial intelligence regulation. It was overshadowed by this.
Jameson Spivak, senior policy analyst for immersive technologies at the Future of Privacy Forum think tank, told StateScoop there have been two successful state biometric privacy laws this year in Colorado and Illinois. However, he said that in general, AI is casting a large shadow. National policymakers are expected to introduce nearly 700 AI bills in 2024, with many more in 2025.
This shadow looms over the absence of federal privacy laws protecting consumers’ biometric data. In May 2023, the Federal Trade Commission issued a policy statement on biometric data that includes broader definitions than those contained in state law, and the Commission takes a stricter approach to protecting biometric data. He suggested that it might be possible. But Pivac said biometric regulations remain “up in the air” heading into 2025 due to the incoming presidential administration and the impact of AI.
Fixing biometrics behind AI
In 2024, some states, such as Colorado, simultaneously tackled data protection laws specific to AI and biometrics. However, Spivak points out that the vast number of AI laws and policies introduced by states are efforts to protect biometric data such as depictions, images, and records of an individual’s facial features, eyes, fingerprints, handprints, voice, genetics, etc. He said that it shows a shift from
“What we saw in 2024 was that policymakers were moving significantly away from biometrics and putting more emphasis on AI. This is not particularly surprising, because now It’s all about AI, and that’s why there’s just less focus on AI than there has been in recent years,” Spivak said. Said.
Two successes in Colorado and Illinois came in the form of changes to existing privacy laws. Illinois has passed amendments to the Illinois Biometric Information Privacy Act (BIPA) that some privacy experts hail as the gold standard for biometric data laws. It includes a private right of action that allows people to bring legal action against companies found to have violated the law. BIPA amendments passed this year included limits on the number of violations for which a company can be held liable under private rights of action. Spivak said the amendments greatly benefited businesses because instead of paying a fee for each violation, the violations would be grouped together as a single violation.
This year, Colorado passed both the nation’s first comprehensive AI bill targeting AI discrimination and new amendments to its privacy law that include protections for biometric data.
Last May, Colorado Gov. Jared Polis signed legislation amending the state’s comprehensive privacy law, the Colorado Privacy Act, and Spivak said these rights and obligations were incorporated into the Illinois Privacy Act. It is said that it is almost reflected. Colorado’s proposed amendment does not include private rights of action like BIPA, but it does create similar requirements for companies that process biometric data, such as creating retention and destruction policies, prohibiting the sale of data, and (e.g., requiring reasonable security processes).
Towards 2025
Despite less attention to biometric protections in state legislatures this year, eight states will enact comprehensive privacy laws in 2025, and some states will add biometrics to the definition of “sensitive data.” There are provisions regarding authentication privacy.
Spivak said he expects the definition of biometric data to expand as technology advances. This could include increased use of the phrase “body-based data,” which is data derived from an individual’s characteristics, whether or not it can be used to identify an individual, he said. Last October, AI company Veritone released a new version of its Track software for law enforcement agencies. The software tracks people and vehicles using characteristics that are not normally considered biometric data, such as height or distinctive clothing.
“But what we’re seeing, especially in emerging consumer products, is that a lot of body data is being collected and used, but not necessarily for identification purposes.” Spivak said.
Mr. Spivak gave the example of research into the privacy implications of virtual reality technology, specifically augmented reality headsets. He said that just to make the technology work, the device tracks data about the user’s hand, body and eye movements, but that is not personally identifying data and is typically stored with personally identifying information. He said that there was no such thing.
Spivak said the creation and storage of body data could change the conversation around biometrics and influence policy discussions about how to protect them. For example, the FTC’s May 2023 policy statement on biometric data expanded the definition to include all types of physical data, Spivak said. And Colorado is already taking steps to protect body data, with the state passing in April the nation’s first law to protect the privacy of neural data, or information related to brain and spinal cord activity. It was approved.
But priorities at the federal level are unpredictable at this point, Spivak added. President-elect Donald Trump has not yet named a candidate to head the Federal Trade Commission. Whoever is chosen to lead the FTC will be involved in determining how the agency enforces protections for biometric data.
“It will determine how the FTC views the idea of body biometric data and what practices it will enforce against, if the FTC believes it has any impact on body biometric data. “It could have a big impact on how we do things,” Spivak said. Said.
