Biometric Data Collection and Privacy Compliance

An attorney weighs in on whether Northwest credit unions face any federal or state requirements related to biometric data collection practices.

10/24/17

Editor’s note: Brian Witt of Farleigh Wada Witt is the author of this article. The Farleigh Wada Witt law firm is the “Advocate Sponsor” of the Northwest Credit Union Association and serves credit unions throughout the Pacific Northwest with legal and regulatory compliance guidance.

Last week, a number of credit unions received a risk alert addressing Biometric Privacy Laws. The alert encouraged credit unions to be aware of emerging laws and the potential legal and regulatory risks of collecting and using member biometric data. As with any operational innovation, credit unions considering use of biometric data to secure financial accounts, transactions, and services should be aware of the legal risks that might impact these new technologies.

However, credit unions operating in Washington, Oregon and Idaho do not face any federal or state requirements related to biometric data collection practices.

  • Washington: While Washington enacted a new biometric data privacy law this summer, credit unions are expressly exempt, as are all financial service organizations subject to GLBA.
  • Oregon and Idaho: Oregon and Idaho have no state biometric data privacy laws.
  • Other states: Only Illinois and Texas have state biometric data privacy laws, which do impact companies like Apple, Google and Facebook who are using or developing facial tagging technologies or mobile banking applications using fingerprint ID authentication. Credit unions with out of state members in these states may wish to limit biometric data collection on such members to avoid these state consumer notice and consent requirements.

Also, the federal privacy laws (GLBA and Regulation P) do not cover biometric data as nonpublic personal information.

The new Washington law is quite different than the biometric data laws in Illinois and Texas and was crafted to strike a reasonable balance of protecting consumers from the collection, sale, and commercialization of biometric databases, while not hampering financial institutions from utilizing these important security and authentication measures.

Biometric data technologies like fingerprint ID authentication present exciting possibilities for credit unions to enhance security and fight financial fraud. Credit unions should of course take appropriate care to safeguard any sensitive member information, including biometric data, used to identify members or authenticate transactions. At this point, however, neither state nor federal laws create undue risks or burdens for credit unions in Washington, Oregon, and Idaho considering the opportunity to use biometrics for such purposes.