The Importance of Biometric Privacy - Compliance with increasing USA Privacy Regulations
Importance of Biometric Privacy
Most companies assume that data protection and privacy are mainly European issues, based on the GDPR, and although the GDPR sets among the highest standards for data protection and privacy, the USA is following suit, and there are regulatory frameworks in place in California (CCPA) and Illinois (BIPA), among others, which seek to control how businesses process personal data.
However this is not only a regulatory issue. It also goes to the heart of the trust relationship between businesses and their customers, or employees.
ValidSoft has invested considerably in applying a Privacy-by-Design approach to its solutions, and works closely with its customers, in Europe and the USA, to ensure that basic (and advanced) privacy-enhancing technologies are built into its solutions from the ground up.
The most fundamental of such privacy-enhancing approaches, is to ensure that users are fully informed of how their personal (and biometric) data will be used, and asking the users to agree to that.
USA Privacy Law: Illinois Class Action Suit
Getting this wrong can mean serious regulatory and other legal liability, so companies must take their responsibilities seriously. In a recently filed Illinois class action, it is claimed that Amazon Web Services' cloud-based call center operations violated Illinois residents' rights under the state's Biometric Information Privacy Act. Specifically, the claimants argue that AWS collects voice data from people who call its centers and sends it to Pindrop Security Inc. (PinDrop), which converts it into biometric voice data and sends it back, without obtaining the callers’ consent for the capturing and use of their biometric data.
This is indeed confirmed by Pindrop’s own Pindrop Passport Product Description, which repeatedly stresses that the software extracts data from a speaker’s voice; passively enrols the speaker, and passively authenticates the speaker later – all in ways that are “invisible to legitimate callers”.
This surreptitious capturing of biometric data from individuals who call contact centers would indeed appear to be in clear violation of the informed consent requirement for the capturing and use of biometric data under Illinois’ Biometric Information Privacy Act (BIPA) – and increasingly also in breach of other U.S. state laws, such as California’s Consumer Privacy Act (CCPA).
Pindrop’s solutions, moreover, have built-in behavioural analysis tools that are also used “passively” or “in the background” – i.e., unbeknown to the individuals whose behaviour is analysed.If used in Europe, these features of Pindrop’s Passport would be in serious breach of European data protection law and in particular the GDPR which strongly emphases the need for full transparency in the capturing and use of biometric data, and the need for free, fully-informed and explicit consent for the use of such data.
In stark contrast to Pindrop, ValidSoft’s voice biometric authentication solution meets all these high privacy standards by design and default, as confirmed in in-depth internal and external Privacy Impact Assessments carried out by ValidSoft’s data protection officer, foremost European data protection expert, Professor Douwe Korff.
As a result of this Privacy by Design philosophy, ValidSoft’s solution has been awarded the only EU-recognised European Privacy Seal for any voice biometric product, confirming its compliance with EU data protection law.Indeed, ValidSoft is the only security company in the world to have been awarded four EU-recognised European Privacy Seals for its privacy sensitive solutions. ValidSoft customers using ValidSoft’s voice biometric solution can be assured that they will be in full compliance with all USA and EU privacy/data protection laws in their use of the voice biometric service.