Amazon Go Stores recently announced a new biometric technology making it even easier for customers to come, shop, and go at these retail outlets. See news report here. The technology involves palm geometry and blood vessel scanning. Like fingerprints, retinal patterns and face geometry, each person’s blood vessel configuration is unique and, once scanned and stored electronically, can be used to uniquely identify a person.

According to Amazon, the new blood vessel/palm scan will be used to simplify and speed payment processing. However, it is expected that the technology could be used for other purposes like verification of identity for airports, concerts, sporting events and as a replacement for workplace security like keys and swipe-cards. Amazon also touts the new biometric technology because it is touchless (unlike swipe-cards and fingerprints). This has obvious advantages for workplaces and venues continuing to deal with the COVID-19 pandemic. Amazon also touts blood vessel biometric identification as more secure than other biometrics because it is much more difficult to fake. Unlike face geometry — and even fingerprints — blood vessel configuration cannot be visually observed.

Legally, this opens up another battleground in the fight to protect consumer and individual privacy. There are already many statutes enacted in various states and localities that regulate various biometric information that can be used for personal identification. Some state statutes have already added vein/vessel configuration in the definition of biometric data. For example, the California Consumer Protection Act (“CCPA”) defines “biometric information” very broadly to include “physiological, biological or behavioral characteristics … that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.” Palm and vein patterns are specifically listed as an example. See Cal. Civ. Code, section 1798.140(b).

In general, like many similar statutes, the CCPA requires that a person give consent before any sort of biometric information is collected. Further, an individual must be given notice of the business purposes to which the information will be used and notice with respect to how and where the information is stored, with whom and under what conditions the information is shared, how long the information is stored, and how, when and in what manner the information might be destroyed. Finally, the CCPA mandates that individuals be allowed to “opt out” of having certain types of information collected about them. Other states also protect biometric information including:

• Texas
• Washington
• Arkansas
• New York

These statutes either explicitly mention blood vessel/vein patterns or have a catchall phrase like “other unique biological pattern or characteristic.”

Other statutes — like the Illinois Biometric Information Privacy Act (“BIPA”) — do not specifically mention blood vessel/vein configuration as a type of biometric data. See 740 ILCS 14/10. The BIPA defines a “biometric identifier” as an “iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” There is no general “catchall” word or phrase. The BIPA will have to be amended by the Legislature or by the courts to cover blood vessel/vein technology. This is very likely to happen.

Based on the news report, Amazon is already well aware of its need to obtain consent before taking and using blood vessel/palm scanning technology. However, the report did not indicate whether Amazon satisfied the various notice requirements and whether Amazon has acknowledged the enhanced cybersecurity requirements that come with collecting personally identifiable information.

Legal lessons: Businesses contemplating use of the new biometric technology should approach with caution and ensure compliance with ALL notice, consent and cybersecurity requirements.

If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.