Tapping into the Biometric Revolution in a Shifting Landscape

For some time now, IHRSA has been examining the many sides of the biometric revolution, highlighting how clubs can take advantage of the consumer demand for health and fitness data to create successful initiatives that increase results and retention. Biometric data can do so much more than help with consumer demand and increasing engagement with your members. It can drive greater efficiencies in club operations, improving decision-making and resulting in cost savings.

Biometrics are the exciting, new toy that opens up possibilities to club operators to expertly tailor members’ workouts and demonstrate tangible results. With tools such as:

• fingerprint scans,
• body composition scans,
• VO2 max testing,
• iris scans and facial recognition.

What’s the “but”?

Biometric data may be the next step in the era of big data, but it is also sensitive information about your members or employees and needs to be appropriately protected. That sounds simple, but it might not be enough just to protect their data. Not to mention what qualifies as protection could be changing.

Just as you are interested in biometric data and what it could mean for your business, lawmakers are increasingly interested in biometric data and what it means for individuals’ privacy. The use of biometrics has some concerned about the erosion of privacy and potential civil rights issues.

What does this mean?

It means that this exploding biometric revolution—that businesses, consumers, and portions of the government all want to take advantage of—is currently operating on a foundation built largely of sand. With lawmakers actively looking to regulate the collection and use of biometric data, the legal and regulatory landscape for biometric data is in flux and likely will remain so for the next several years.

As of this writing, 12 states are considering proposals restricting the use of biometric data, and Congress has jumped in as well with a proposal around facial recognition technology. How the coming biometric data laws are written and interpreted will determine how valuable biometric data ultimately is to health clubs and other businesses moving forward.

How do you leverage this exciting technology in an uncertain and shifting legal landscape?

I don’t have a crystal ball, but if we look at the states with laws restricting biometric data and the proposals in states considering doing so, we can identify trends and principles that will help us plan for the coming biometric landscape.

Currently, only Illinois, Texas, and Washington have privacy laws regulating the collection and use of biometric data. While each state defines biometric data differently, there are similarities in the requirements for collecting and handling biometric data. Looking at the states currently considering biometric data bills, many apply the same broad principles as Illinois, Texas, and Washington. Here are the five general principles that emerge from my review of biometric proposals:

1. Notice: Inform your members/employees that their biometric information is being collected, why it is being collected, and how it could be used.
2. Consent: Get consent from your members/employees to collect and use their biometric information.
3. Retention: Establish a schedule for how long you store member/employee biometric information
4. Security: Ensure that you are providing a level of security for biometric information at least as, if not higher, than you provide for other confidential or personal information.
5. Purpose: Articulate a rationale for collecting biometric data, and make sure that it is consistent with any applicable law. Are you trying to strengthen your club’s security? Provide more benefits to your members? You should know why collecting biometric data will improve your business.

These principles are in line with a broader shift in how society and regulators view data privacy. As highlighted in the May CBI The Data Privacy Priority, the advent of the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) have signaled a move toward greater transparency and consumer control over the collection and use of personal data. If you are collecting biometric data—or considering doing so—you should give serious thought to incorporating these principles into your business processes.

Some suggestions for how you could begin to operationalize these principles:

• Put it in writing: Create a written form that you can give to members/employees explaining your biometric data collection practices.

• Less is more: Only collect and store the biometric data you need. Minimizing collection reduces your risk.

• Get it in writing: Obtain written consent from members/employees authorizing the collection of their biometric data and keep the consent on file.

• Retention schedules: Create a retention schedule and guidelines for permanently destroying biometric information when there is no longer a business or legal need to retain it. Share the retention schedule with your members/employees. Also, be sure to consult your state’s record retention laws to ensure you are in compliance.

• Anonymize if possible: If possible, make the data anonymous, so it cannot be linked back to a specific individual. There are different ways to achieve this, depending on the technology you are using.

Taking steps now to bake-in the principles of notice, consent, retention, and security could pay real dividends by minimizing business disruption as new biometric laws come into force. For instance, Illinois’ Biometric Information Privacy Act (BIPA) contains a private right of action. This right of action means private companies found guilty of violating BIPA are liable to compensate plaintiffs:

• $1,000 or actual damages (whichever is greater) if found to be negligent,
• $5,000 or actual damages (whichever is greater) if found to have intentionally or recklessly violated the law.

In a recent ruling, Rosenbach v. Six Flags Entertainment, the Illinois Supreme Court determined that a company can be sued for violating BIPA, even if their collection of biometric information did not result in any harm to the plaintiff. In other words, if you collect biometric data in Illinois and you miss one box on the BIPA checklist, you are liable.

The lawsuits have already begun and will only grow from here. Florida, New York, and Rhode Island are each considering biometric bills that are substantially similar to Illinois’ BIPA—including the private right of action—so the stakes for participating in the biometric revolution could be high!

What's the consensus on regulating biometric data?

There isn't one. However, there are enough commonalities between existing laws and proposed laws that we can see how lawmakers are approaching the issue. As with any evaluation, there are outliers that do not fit the trends. Oregon Senate Bill 284 for instance, would straight up prohibit employers from collecting biometric data from employees. While New Hampshire House Bill 536, makes it a violation of the New Hampshire consumer protection law for a business to collect, use, disclose, or store biometric information for “any purpose other than that which the individual reasonably expects.” Combine this with a very broad definition of biometric information, and the bill becomes so vague that it is difficult to understand how it would be applied.

Now is a great time to start evaluating how you collect biometric data and consider the four principles of notice, consent, retention, and security. If you haven’t joined the biometric revolution yet, but are thinking of it, consider baking these principles into your biometric program and help insulate yourself from the shifting biometric data landscape.