Privacy Laws Self-Service – Whose, What and Where?

By | December 10, 2021
privacy laws self-service

Running article on privacy and its impact on unattended public interaction — linkedin

Craig Allen Keefner

Status is online

Craig Allen Keefner

Consultant Self-Service Technology

Posted an article today about Amazon and its Alexa Together. Good for seniors and for remote telehealth. And it goes to show speech recognition and voice recognition gaining speed in multiple sectors. Aside, its worth noting beneficiary telehealth visits increased 63-fold in 2020 according to HHS study.

Your voice is singularly yours until it is saved and reproduced. Giving Alexa Together to my Mom in her skilled nursing might be even more effective if Alexa’s voice was mine.

We sometimes say that ADA and accessibility in the workplace is too often a patchwork of state laws, rulings, federal guidelines and what type of entity it is to begin with.

But looking at privacy laws (and biometrics) that situation seems to be even worse.

Regulations for privacy such as HIPAA have always been observed and enforced, however, they are very specific as to which situations they apply. Generally, doctor-patient confidentiality is the basis. Periodically a breach occurs and an institution has a multi-million fine levied against them. The news rises to the top momentarily and then subsides into its periodic oblivion.

Privacy data needs to be defined. It includes biometric data but also everyday credentials such as the license tag on my car. Do I really want that stored in a database which is eventually sold? Then again DMVs have done that in the past. There are cyber credentials and representational credentials and purely physical credentials such as your Iris or palm veins or fingerprint. There is observed data. Large format digital signage may also include cameras for customer observations. Maybe do a long list of what China does to the Uhygurs via HIKVision and Dahau. For that matter many of the temperature scanners installed at the state and local level include facial algorithms by Dahua and “touch” a Chinese server.

Below is the potential biometrics NCR Dundee laid out back in 2003.

ways to do biometric data chart from NCR Dundee

The cost factors have all changed and the introduction of AI into the equation only complicates things.

Be Aware

Interfacing in the public domain with automation means doing a quick check of what exactly it is you are dealing with. Whether you are in your car or walking the floor or stopping off in Starbucks and Amazon Grab and Go.

  • Is there a camera? How many?
  • What about a microphone?
  • Is your mobile phone transacting over Bluetooth?
  • Traffic sensors (car and footfall)
  • Which recognition technologies are in play? Audio, visual, other sensory.
  • What data are they collecting and how will it be used and stored?
  • Did they ask for and get your permission?
  • Finally, which state in the US are you interfacing with automation?

From Varonis

Q: Which states have privacy laws?

A: Very few — three in total! Sure, all 50 states now have a data breach notification rule usually also calling for reasonable data security. But as of this writing, only CaliforniaNevada, and Maine have privacy laws in effect. Several states (see above) have privacy laws working their way through the legislatures. For a current snapshot of the status of these proposed state laws, the International Association of Privacy Professionals (IAPP) is maintaining an up-to-date scorecard.

Nice overview here of how the states compare and the legislation ongoing —

Drinker Biddle BIPA Reference – Excerpt: In the early 2000s, a company called Pay By Touch promised to “Change the Way the World Pays” with a “biometric” authentication and payment system. The system enabled consumers to link various accounts (credit cards, checking accounts, loyalty programs, etc.) to their fingerprints, and then access their accounts or make a payment with the touch of a finger rather than using cash or swiping a card. Investors poured $340 million into the venture, and millions of consumers signed up. By late 2007, however, Pay By Touch and one of its founders—John Rogers—were mired in controversy and litigation (including bankruptcy), and in March 2008, Pay By Touch ceased all operations. While Pay By Touch’s time was short-lived, it did have a profound impact on future endeavors involving biometric information, just not in a way that its founders likely expected. Pay By Touch’s rise and fall was the catalyst for first state law governing the collection, use, safeguarding, and storage of biometric information: the Illinois Biometric Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). 1 While BIPA has been on the books since October 2008, it is only recently, as the use of biometric information becomes more commonplace (the fingerprint scanner on the iPhone, for example), that BIPA is once again garnering attention—this time, from the plaintiff’s class action bar. Companies looking to use biometric technology in Illinois or during interactions with Illinois residents should be aware of BIPA and ensure that they are complying with its requirements. Companies operating outside of Illinois should pay attention to similar legislative initiatives in other states. 

A number of states have passed or are considering the NAIC Model Law for Cybersecurity 
that includes requirements which address requirements for confidentiality, 
risk assessment and breach notification. See Mississippi Senate Bill 2831 
signed into law earlier this month. . 
Similar legislation has been introduced in CT and NH.