Program on Economics & Privacy affiliated faculty member, Professor Jane Bambauer, explores the recent developments in biometric privacy laws in her latest paper, “Biometric Privacy Laws: How a Little-Known Illinois Law Made Facebook Illegal.”

Banks and retailers are increasingly interested in using biometric information to authenticate customers by converting a scan of their biological features into an elaborate password.

The benefits of biometric authentication are obvious, but so are the drawbacks: since the systems use scans of irises, fingers, and even facial structures, a user’s biometric passwords are on public display every time they leave the house. Some states have passed biometric privacy laws to help facilitate the development of biometric authentication technologies. But these well-intentioned biometric privacy laws showcase the problems that arise when public policy tries to keep up with technology.

They are wildly overbroad, potentially exposing even individual users of basic photo organization software to civil liability based on conduct that poses no risk to data security. What is more, the laws are also unlikely to be necessary to accomplish their intended goals; companies that are developing biometric authentication systems to protect sensitive personal data are already using technological solutions to manage the security risks, rendering the legal solutions obsolete. Finally, their scope possibly contravenes the First Amendment and the Dormant Commerce Clause.

Although the purpose of these nascent laws is laudable, so far they appear to have only spurred class action litigation that is likely to harm, rather than help, the interests of the average consumer.

Read the full paper here.