Biometric ID verification versus consumer privacy: What’s the solution?| Self-Service Innovation Summit 2020 | Vending Times

(Editor’s note: An earlier version of this article ran on Kiosk Marketplace, a Vending Times sister publication.)

Every improvement brings its conditions. Biometric identification — which has brought significant benefits to many self-service kiosks — isn’t risk-free. As the technology has emerged, so have consumer privacy laws, making it critical for self-service devices to comply with these requirements.

A panel during the recent Self-Service Innovation Summit made it clear that companies using biometric identification — whether it be fingerprint or facial image capture — can meet customer privacy requirements while offering the technology’s benefits.

Which isn’t to say compliance is easy, as early adopters of the technology have learned.

Lawsuits challenge technology

Lawsuits have been filed against both Lowe’s and Home Depot for scanning face images of customers coming into the store using closed captioning TV systems, said panelist Jeffrey Rosenthal, a partner at the Blank Rome LLP law firm who specializes in consumer privacy law. In one case the retailer was tracking customers’ movements through the store, but was alleged to have cross checked customers’ faces with criminal records.

“There’s a question as to whether those people entering the store gave notice or gave consent that their face was scanned for this purpose,” Rosenthal said.

In August, Rosenthal said, the largest biometric settlement in history, $650 million, Patel versus Facebook, was levied against Facebook for recording photos people were uploading to the site without informing them.

As for self-service applications, an action against the nation’s largest vending operator, Christine Bryant versus Compass Group USA in Illinois, is still pending.

Illinois law empowers consumers

Rosenthal cited the Illinois Biometric Privacy Act, passed in 2008, as one of the most far reaching consumer privacy laws in the country. The state recognized that a consumer cannot reproduce their facial image or fingerprint scan if they were stolen, and therefore assessed heavy penalties against companies that did not take measures to prevent identity theft.

Illinois also established the right of a consumer to sue if they felt their biometric identity was compromised. Because of this, more suits have been filed under the Illinois law than any other, he said.

Biometric privacy laws in Texas and Washington also require a company to get a customer’s consent to collect their biometric information. Unlike Illinois, the consumer cannot take action in these states, although the penalties in Texas and Washington are much higher.

“These laws, if they’re not where you are, they will be soon,” he said.

The good news is that businesses can comply with these laws by following fairly simple guidelines. “The right compliance methods are available,” Rosenthal said.

Rosenthal summarized the various laws’ requirements to include the following: data retention schedule, guidelines for permanently destroying biometric data, written notice, written release, prohibition against profiting from biometric data and data security protection.

Companies using biometric identification for their employees also need to get the employees to consent to having their data collected. Rosenthal recommended having a written policy for employees and a written consent form for them to sign.

Customer concerns minimal to date

The other panelists, all of whom operate self-service kiosks that use fingerprint or facial recognition to identify customers, have not to date encountered a lot of privacy concerns.

Panel moderator Linde Hutson, director of global marketing, communications and training, at 365 Retail Markets, a micro market provider, said some of her company’s customers have raised concerns about potential consumer privacy violations. The company’s technology allows customers to make purchases using fingerprint identification.

Panelist Ray Ledford, owner of Lêberry Bakery and Prime Restaurant Group, based in Pasadena, California, said none of his customers or employees have raised privacy concerns about the facial recognition his company introduced last year. Lêberry Bakery customers are advised prior to entry that they must consent to facial recognition to enter the store.

Biometrics are safe

Hutson pointed out the legal actions Rosenthal mentioned are not over safety; biometrics are safe to use.

Rosenthal agreed, stating legislatures want people to use biometrics and are encouraging it by acting to create user confidence. He views facial recognition as the safest biometric technology since there is no physical contact involved, as with fingerprint identification or PIN identification, and he expects it to grow the fastest.

“Facial recognition has been and will continue to take more of the market share of what types of biometrics you’re seeing…because it’s just safer,” he said.

Biometrics expected to grow

The panelists agreed that biometric identification brings important benefits and will continue to grow.

“This technology is incredibly important for the self-service industry and how we’re going to move into the future to serve our customers,” said Hutson of 365 Retail Markets. “I think that even without the pandemic, this is something that’s going to continue to grow.”

Ledford, who introduced facial recognition from PopID last year, agreed.

The customer looks into a tablet screen at the restaurant to be identified, Ledford said, eliminating and need for an employee to interact directly with the customer. If they are wearing a mask, the customer removes it, as there is no one within six feet to be exposed to COVID-19.

Daddy’s Chicken Shack in Pasadena, California, introduced facial recognition from PopID at the start of the pandemic, and has found that it speeds up transactions while keeping both customers and company personnel safe, said panelist Chris Georgalas, co-owner.

“It’s really helped us out throughout the whole transition with the whole pandemic,” Georgalas said, agreeing with Ledford that PopID removes direct contact between company employees and customers.

Biometrics will not replace user names and passwords for consumers who don’t want to use it, said Rosenthal. “It’s not like your other options are wiped away,” he said. “Companies want to encourage facial recognition because of all the benefits. Biometrics really are exploding on the scene.”

The session was sponsored by 365 Retail Markets.