Regulatory Roundup: The EU, NIST, and a Lot of BIPA

It’s been a busy couple of weeks in regulatory news in the world of biometric and identity technologies. Here’s our roundup of some of the most important developments, including ongoing BIPA proceedings:

The European Digital Rights Network (EDRi), an advocacy group, is urging Members of the European Parliament to reject a European Commission proposal that would incentivize the creation of a facial recognition database for user by police agencies across all European Union member states. EDRi says that such a turn of events would pose serious risks to civil rights in the EU.

The National Institute of Standards and Technology (NIST) is nearing completion of a new guidance on “Mitigating Cybersecurity Risk in Telehealth Smart Home Integration,” with a final product description having been completed this week. The guidance will focus on the protection of consumer privacy with respect to the use of health tracking Internet of Things devices. The guidance is being developed by NIST’s National Cybersecurity Center of Excellence.

Department of Defense CIO John Sherman says that the Pentagon aims to have zero-trust architecture in place across the majority of its enterprise systems by 2027. To that end, he has appointed a new Deputy Chief Information Security Officer, and DoD officials are working on a “cyber talent strategy” that is expected to be ready within the next two months. Sherman explained that “the adversary capability we’re facing leaves us no choice but to move at that level of pace,” according to a FedScoop report.

The BIPA Beat

The fashion brand Christian Dior is now facing a class action lawsuit under Illinois’s Biometric Information Privacy Act (BIPA). The suit concerns a “Virtual Try-On” feature on Dior’s website that allows a customer to see how their face would look with different kinds of eyewear, alleging that Dior did not inform users about the feature’s use of biometric technology, how their data would be used, and how long it would be stored, as required under BIPA.

YouTube and its parent company, Alphabet, now face a BIPA lawsuit concerning the video sharing platform’s “Face Blur” feature, which lets users select the faces of certain individuals in a video so that YouTube can automatically obscure them. The suit alleges that YouTube fails to inform users that the tool collects and stores face biometric data, a practice that is essential for its operation. Google reached a $100 million settlement in a previous BIPA case, concerning Google Photos’ “Face Grouping” feature, earlier this year.

Kohl’s has become the latest major retailer to face a class action lawsuit under Illinois’s Biometric Information Privacy Act (BIPA). The lawsuit alleges that Kohl’s collects customers’ biometric data through its “advanced video surveillance systems,” and that it has not acquired customers’ explicit consent to do so, as per the requirements of BIPA.

A class action lawsuit has been filed against the restaurant chains Applebee’s, Red Lobster, Chipotle, Blaze Pizza, Portillo’s, and Noodles & Co. over their alleged violations of Illinois’s Biometric Information Privacy Act. The lawsuit revolves around the restaurant chains’ use of a voice-based ordering system that allegedly collected the voice biometrics of customers who used the system, without first obtaining their express consent.

Oak Point University, an Illinois post-secondary institution known for its nursing programs, will face a class action lawsuit over its use of remote testing software from Respondus Monitor. The software collected students’ voice and face biometrics to confirm their identities before proceeding with remote exams, a practice that is alleged to be in violation of the state’s Biometric Information Privacy Act.

–

September 9, 2022 – by Alex Perala