Fingerprint identification technology uses fingerprints to uniquely identify individuals. The technology has been used by law enforcement agencies for decades, and dozens of statutes regulate when government agencies may collect fingerprints, how they are permitted to use them, and with whom they can be shared.
Advances in fingerprint recognition software have lead many private entities to begin using the technology to authenticate consumers. For example, many mobile devices have integrated fingerprint recognition technology to replace, or supplement, passwords or passcodes. Some employers are also using fingerprint recognition technology to increase the accuracy and efficiency of employee timekeeping systems.
There is currently no federal statute that expressly regulates private-sector use of fingerprint recognition software. Nonetheless, the FTC, which has authority to prevent unfair and deceptive practices, may proceed against companies that misrepresent how they use, secure, or disclose captured fingerprints or fingerprint geometry.
Numerous states have enacted statutes concerning the collection of fingerprints by government agencies, by accreditation boards, or in certain regulated industries (e.g., childcare and education). At least two states have also enacted statutes that govern the private sector’s use of the technology outside of specific fields and applications. Those statutes generally require that if an organization “captures” a fingerprint’s geometry it must provide the consumer with notice and obtain their consent. In addition, if an organization stores fingerprint geometry then it must limit its disclosure to third parties, enact measures to secure the fingerprint from unauthorized access, and limit its retention after it is no longer needed. A number of additional states require that if a company collects fingerprints it take steps to prevent the fingerprint from being acquired when in the process of being destroyed.
Number of fingerprints held by one government agency.1
1 in 50,000
Probability of a false match claimed by one mobile device in conjunction with fingerprint recognition software.2
$5,000 - $25,000
The range of possible fines and damages that could be assessed under state law for each violation of a fingerprint identification statute.3
Largest class action settlement / judgment against a company for allegedly collecting fingerprints without providing proper notice and obtaining appropriate consent.4
Consider the following when using fingerprint identification technology:
1. FBI, Next Generation Identification (NGI) Monthly Fact Sheet (Oct. 2017) available at https://www.fbi.gov/file-repository/ngi-monthly-fact-sheet/view (viewed Dec. 2017).
2. https://support.apple.com/en-us/HT204587 (last viewed Dec. 2015).
3. See, 740 ILCS 14/20 (1)-(4); Tex. Bus. & Com. Code § 503.001(d).
4. Stipulation of Class Action Settlement, Sekura v. L.A. Tan Enterprises, Inc., Case No. 15-CH-16694 (Cir. Ct. Cook County Ill. June 20, 2016).