Regulations of Biometric Data: Impact on Industry

Regulations of Biometric Data: Impact on Industry

Parks Associates consumer data shows over half of consumers are concerned about their personal data security, and over a quarter are reluctant to adopt technology based on data security concerns.

Consumers are justified in their concerns, as nearly half reported experiencing at least one data security or privacy problem. The implications of data security are even more critical when applied to biometric data (e.g., face recognition, fingerprints, and iris scans) because biometric data is unique and cannot be altered. Once biometric data has been compromised, it cannot simply be changed like a password, making the potential consequences much more significant.

Regulations play a crucial role in mitigating these risks and ensuring that individuals’ biometric data is protected. Currently, there are no federal laws specifically governing the use of biometric technology in the United States, but multiple states and municipalities have enacted their own regulations for specific biometric technologies. For example, Texas and Illinois enacted biometric privacy laws that require companies to provide reasonable security measures to protect individuals’ biometric data from unauthorized access or disclosure. They also require the company collecting biometric data to obtain informed consent from users. At the local level, municipalities such as San Francisco and Boston have enacted bans or restricted face recognition technology for government use.

In Illinois, several major lawsuits have occurred since the passing of its Biometric Information Privacy Act (BIPA), and with damages calculated at $1,000 for each violation (increasing to $5,000 if the violation is judged intentional or reckless), costs can increase quickly and exponentially. For example, a recent verdict penalized BNSF Railway Co. $228 million, while White Castle System could face a ruling of more than $17 billion in a lawsuit brought by a former employee alleging the company collected and disclosed her biometric data without consent. These potential losses have had a significant impact on the tech industry, setting a precedent for future BIPA cases and now the need to find solutions to not only receive consent from users when collecting biometric data but also how to prevent the data from being compromised.

In contrast, accusations of Apple violating BIPA were dismissed because customers voluntarily use the touch and face ID options to access their phones. Also, and just as important, their biometric data was stored locally on the device. As long as tech that is using the edge to process data complies with informed consent, data retention, and data destruction requirements, they are not in violation of biometric data laws such as BIPA.

In comparison, if the technology is processing and storing data on the cloud rather than the edge, the risk of being liable if the collected biometric data is compromised is greater because the data is stored centrally. This requires cloud providers to implement additional layers of security, increasing the complexity and cost of implementing a cloud computing solution. In addition, obtaining consent to collect biometric data through a cloud-based service is more challenging since it often involves third-party providers.

Overall, BIPA and other forms of regulation have the potential to impact the development and use of edge and cloud technology with biometric capabilities, as companies must ensure compliance with the law's requirements for biometric data collection, use, and storage. Currently, it is much simpler for edge technology to be compliant with biometric data laws versus cloud-based technology for a few reasons:

  • Edge processes and stores data locally on the device itself, reducing the risk of unauthorized access
  • Edge devices usually transmit data with encrypted protocols, reducing risks of data interception or tampering
  • Jurisdictional issues can arise with cloud-based technology since the data is stored centrally. For example, biometric data collected from residents of different states must comply with the different laws of each state.

For these reasons, regulations may drive providers that manufacture technology that collects and stores biometric data to implement edge solutions.

Processing Power for Face Recognition

Video analytics applications employ AI to detect and identify persons, objects, animals, packages, license plates, and other subjects of interest visible in video camera feeds. Video analytics can also be fused with other contextual sensor data to validate the meaning and intent of the video subject, a critical issue in security use cases. Advances in enterprise video analytics are trickling down to consumer applications as chip, sensor, and cloud computing costs become more affordable.

Video processing can occur on an edge device or on-premises server, in the cloud, or a hybrid combination.

Available processing power in the edge device is a critical requirement for the level of data analytics complexity that can be delivered in real-time. For instance, intelligent motion detection is the simplest application of video analytics and requires far less processing power than face recognition. Intelligent motion detection reduces false alerts common to traditional passive infrared sensors (PIR) by filtering out everything (leaves, cars, animals, swaying bushes) other than what the user wants to know about (people or dogs). Some of these systems can also divide the visual field into zones with customized sensitivity settings.

As advancements have occurred, the pendulum of processing data at the edge or at the cloud has swung back and forth among smart home device makers. Both approaches have benefits and challenges associated with them, and some device makers are now taking a hybrid approach.

No alt text provided for this image
No alt text provided for this image

Cloud computing and storage refer to a type of computing where computing processes, data storage, and applications are performed on a centralized server over the internet. A device collects data, sends it to the cloud, and receives analysis via an internet connection. This allows users to access and use computing resources without having to manage and maintain physical hardware. The cloud can perform large-scale analytics and the ability to fuse data from other cloud sources while incorporating AI and machine learning. This allows for flexibility and scalability that edge does not provide.

However, due to the centralization of the data on the cloud, transferring large data streams or data files from the edge network to the cloud at high speed is difficult. Providers typically send video to the cloud for analysis only when a secondary sensor detects some anomaly, such as motion. Providers may also limit the resolution (size of the image) and framerate (number of images per second or per minute) to fit within bandwidth and cost constraints.

No alt text provided for this image


Read beyond this excerpt from Parks Associates white paper Face Recognition and the Smart Home: Applications, Demand, and Innovation written in partnership with Xailient.

Parks Associates has been investigating data security and privacy for decades. Past select research studies noted from our historical archive including:

Privacy is IoT’s Highest Hurdle (2015), Privacy and Security Come to the Fore for Connected Devices (2016), Privacy and Big Data: Safeguarding Consumers (2015), Best Practices for IoT Security and Privacy (2016), Will Consumer Privacy Inhibit Growth of the Smart Home? (2016), As Privacy Debate Rages, is the Ad Industry Fresh Out of Ideas? (2015), Health Wearables: Privacy Threat? (2014), Electronic Living @ Home (1997), Electronic Living at Home (1998), Electronics and Services @ Home (1998), Electronic Living @ Home II (1998), Broadband Access @ Home (1999), Networks @ Home (1999), Work @Home Facts Trends and Forecast (1999), Networks at Home (2000), Broadband Access @ Home (2000), US Builders and Emerging Technologies (2000), Networks @ Home (2001), Broadband Networked Households (2001) and more.  

Thanks for your support of our research work. Written by Chris White and Jennifer Kent, Ph.D. and support from Parks Associates research and executive editing teams. Graphics by Timothy Nguyen



Shelly DeMotte Kramer

Top 20 industry analyst, advisor, strategist, and B2B thought leader helping companies disrupt themselves and their industries, leverage technology in innovative ways, grow share of voice and share of market.

1y

Great read, Elizabeth. I was reading something earlier today about trust and how new international research shows a very low level of trust around IoT devices among consumers — and you led here with a similar data point. Add biometric data to the mix and trust is off the charts (not happening). Really enjoyed this read, the data shared by you and Xailient Inc., and your collective insights.

Andrew Hopkins

Fed Up with the Status Quo in Tech. New Solutions for Old, Unsolved Problems. Data management, Data Security, Data Rights. Distributed Data Management. UAV's, IoT, Autonomous Equipment

1y

Lot to unpack here - particularly the edge v cloud conversation. The ideal must surely be local processing, local storage, (enhanced) local security and peer to peer device communication? Sort of like an "inverted cloud"!

Howard Tiersky

WSJ Best Selling author & founder of QCard, a SaaS platform designed to empower professionals to showcase their expertise, grow their reach, and lead their markets.

1y

Great insights! It’s no surprise that consumers are concerned about the security and safety of their biometric data. Placing strong data privacy regulations is crucial to mitigate risks and threats.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics