News and Views
Media Coverage

Six Ways to Address Privacy Concerns in Biometric Vendor Contracts

Cybersecurity Law Report

Three forces are fueling a biometrics boom in 2021. A wide array of stores, banks, offices and other enterprises are using hand or other scans to confirm identity and control physical access. Similarly, the “verified internet” is fast emerging, with a growing number of websites and apps using face scans or voiceprints to check ages, prevent fraud and maintain security.


Large providers for biometric authentication in Illinois generally disavow responsibility for BIPA compliance, said Blank Rome partner Jeffrey Rosenthal. They take the position, he reported, that “as the time-clock supplier, I will process your software, but I won’t know whether you are getting the consent from your employees. I just put out the framework for you to use.”


3) Deletion

“Deletion is important in the biometric space,” Rosenthal said. BIPA obligates deletion after three years. Courts have deemed improper retention of a plaintiff’s data as a concrete harm.

Deletion exemplifies how “biometrics laws put more of an administrative burden on vendors,” Rosenthal noted. The contract should reflect that a company and vendor need to share frequent updates about data subjects’ status, like employees leaving their job.

4) Biometric Data Security

Companies should check the vendor’s security measures when preparing the contract, said Rosenthal. Obtaining rights to audit or monitor are valuable, also. “Most of the biometric laws talk about protecting biometric data to the level of your most sensitive corporate data,” he noted. BIPA prudently “allows for flexibility in what that means for each industry,” but the legislators have highlighted security, noting that a person cannot swap one’s biometric geometry for a new one, he explained.

Companies are accountable for security breaches even if vendors are holding the biometric data, Rosenthal added. At least 14 states expressly include biometrics in their data breach notification laws, he noted. Biometrics databases have been breached, including a 2019 researcher hack of 27 million fingerprints and facial geometries in the Biostar 2 database.

To read the full article, please click here.

“Six Ways to Address Privacy Concerns in Biometric Vendor Contracts,” by Matt Fleischer-Black was published in Cybersecurity Law Report on March 3, 2021.