Protecting the Biometric Data of Minor Students
by Devin Forbush
Introduction
At the beginning of this month, in considering topics to comment on and analyze, a glaring issue so close to home presented itself. In a letter written on January 24, Jamie Selfridge, Principal of Caribou High School, notified parents and guardians of students of an “exciting new development” to be implemented at the school.[1] What is this exciting new development you may ask? It’s the mass collection of biometric data of their student body.[2] For context, biometric data collection is a process to identify an individual’s biological, physical, or behavioral characteristics.[3] This can include the collection of “fingerprints, facial scans, iris scans, palm prints, and hand geometry.”[4]
Presented to parents as a way to enhance accuracy, streamline processes, improve security, and encourage accountability, the identiMetrics software to be deployed at Caribou High School should not be glanced over lightly.[5]While the information around Caribou high school’s plan was limited at the time, aside from the Maine Wire website post and letter sent out to parents & guardians, a brief scan of the identiMetrics website reveals a cost effective, yet in-depth, data collection software that gathers over 2 million data points on students every day, yet touts safety and security measures are implemented throughout.[6] While this brief post will not analyze the identiMetrics software as a whole, it will rather highlight the legal concerns around biometric data collection and make it clear that the software sought to be implemented by Caribou high school takes an opt-out approach to collection and forfeits students’ privacy and sensitive data for the purpose of educational efficiency.
Immediately, I started writing a brief blog post on this topic, recognizing the deep-seated privacy related issues for minors. Yet, the American Civil Liberties Union of Maine beat me to the punch, and on February 13th, set forth a public record request relating to the collection of biometric data to be conducted at Caribou High School due to their concerns.[7] The next day, Caribou High School signaled their intention to abandon their plan.[8] While I was ecstatic with this news, all the work that had been completed on this blog post appeared moot. Yet, not all was lost, as upon further reflection, this topic signaled important considerations. First, information privacy law and the issues related to it are happening in real-time and are changing day-to-day. Second, this topic presents an opportunity to inform individuals in our small state of the nonexistent protections for the biometric data of minors, and adults alike. Third, this reflection can sets forth proposals that all academic institutions should embrace before they consider collecting highly sensitive information of minor students.
This brief commentary proposes that (1) Academic institutions should not collect the biometric data of their students due to the gaps in legal protection within Federal and State Law; (2) If schools decide to proceed with biometric data collection, they must provide written notice to data subjects, parents, and legal guardians specifying (i) each biometric identifier being collected, (ii) the purpose of collection, (iii) the length of time that data will be used and stored, and (iv) the positive rights that parents, legal guardians, and data subjects maintain (e.g., their right to deletion, withdraw consent, object to processing, portability and access, etc.); and (3) Obtain explicit consent, recorded in written or electronic form, acquired in a free and transparent manner.
The Current Legal Landscape for the Protection of Children’s Data
In the United States there is no comprehensive federal privacy and data protection law in place.[9] Instead, the current state of privacy law exists in a patchwork nature, with Congress enacting specific statutes over the past five decades in response to economic and social necessities along with the development of new technologies.[10] The aforementioned approach within the United States has led to a hodgepodge of fragmented sectoral laws, leaving large areas of the economy completely unregulated.[11] One part of the economy in particular that is highly unregulated is the collection of children’s data.
In an aim to rectify part of this issue, The Family Educational Rights and Privacy Act (FERPA) provides students with substantive rights surrounding their educational records and personally identifiable information.[12] Importantly, FERPA prohibits any educational institution from disclosing a student’s personally identifiable information without the written consent of the parent, legal guardian, or the student.[13] Biometric records are covered under this provision, including records of “one or more measurable biological behavioral characteristics that can be used for automated recognition of an individual.”[14] In addition, FERPA grants student data subjects substantive rights, including the right to review their records, the right to correct inaccurate, or privacy-violative information, the right to consent to disclosure, and the right to file a complaint for a FERPA compliance failure.[15] Yet, there are exemptions to FERPA where student records are within the sole possession of the educational institution.[16] In the case of identiMetrics, this is a considerable concern as it states the data is located within the school district completely and access is restricted to employees or officials of the school district with permissions.[17] It’s likely that in using an outside service, yet retaining sole possession of the records, biometric collection could fall within this FERPA exception not requiring written consent, or compliance with other FERPA provisions. While this brief blog does not complete a deep dive on FERPA, this brief explanation seeks to identify that FERPA promotes opt-in privacy practices and sets forth substantive data subject rights, yet gaps of protection remain.
The Children’s Online Privacy Protection Act of 1998 (COPPA) attempts to similarly provide some level of protection over children’s personal information online, yet the law is narrow in application to children under the age of thirteen.[18] COPPA is further narrowed due to it applying only to operators of websites that are “‘directed to children’ or where the operator of the website ‘has actual knowledge that it is collecting personal information from a child.’”[19]Unfortunately, in the educational biometric collection context, COPPA is inapplicable as its focus is narrow to operators of websites not educational institutions.[20] The FTC has recently proposed a rule change to COPPA, which aims to alter the law to encompass the collection of biometric identifiers of children.[21] Importantly, the proposed rule provides a ”school authorization exception . . . [which] must identify the individual providing consent and specify that the school has authorized them to do so.”[22] Within this proposed amendment, additional notice, written authorization, and purpose limitation requirements are set forth.[23] This proposed rule could strike the correct balance for the protection of children’s biometric data and the proper restrictions that should be placed on educational institutions before data collection and processing. On top of concerns around whether the proposed rule will even pass is the consideration that minor students older than thirteen remain vulnerable.
Many states around the country have passed general data privacy laws, some of which address concerns around children’s privacy.[24] These state laws tend to broaden regulation on interactions with websites and social media platforms, requiring express consent from parents and legal guardians and expanding protections to minors under the age of 18.[25] While vitally important, there are very few states that currently have laws on the books protecting biometric data, particularly for children. Importantly, Maine is not a state that has passed any substantive privacy legislation.[26]
Currently, Illinois,[27] Texas,[28] and Washington[29] are the only states that have enacted laws protecting the biometric data of data subjects within their borders. While their provisions vary, all three laws expressly prohibit the collection, capture, or storage of biometric data unless an entity provides requisite notice and acquires consent from the individual.[30] On top of this, each law sets restrictions on the sale of biometric data,[31] security storage obligations,[32]and destruction requirements.[33] Lagging behind the trend of many states passing comprehensive privacy legislation, Rep. Maggie O’Neil has proposed many acts seeking to rectify privacy harms imposed on Mainers.[34] Notable to Caribou’s proposed biometric collection, one proposed Maine bill, H.P. 1094, would expressly prohibit the collection, storage, use, or transfer of an individual’s biometric data unless the private entity sufficiently informs the data subject and acquires affirmative written consent.[35] H.P. 1094 aligns with other biometric state laws in place and provides a private right of action for aggrieved data subjects.[36]
The United States sits in direct contrast to European data protection law. The General Data Protection Regulation (GDPR) is currently the gold standard for data privacy and security in the world. Coming into effect in 2018, the GDPR is a comprehensive data privacy law that provides broad protections for the fundamental rights and freedoms of natural persons in the European Union and sets forth an effective framework for the legality around the collection, processing, storage and transfer of personal data.[37] Vitally, the GDPR places a significant emphasis on the protection of the personal data of children.[38]
The processing of children’s personal data is only lawful where consent is provided.[39] Children can independently consent when they are at least 16 years old.[40] Where younger, consent must be given by a parent/guardian of the child.[41] Normally consent under the GDPR should be freely given, specific, informed, and display an unambiguous indication of agreement.[42] Yet, pertinent to the issue at hand, biometric data is a special category of data that the GDPR expressly prohibits the processing of, unless an exception applies.[43] These exceptions are expressly narrow and require explicit consent to be given[44] or another restrictive ground to be satisfied.[45] In addition, data subjects have the explicit right not to be subject to automated individual decision-making, including profiling.[46] Profiling encompasses evaluating personal aspects of an individual, such as their health, personal preferences or interests, behavior, or the like, which produces legal or similarly significant effects.[47] On top of all of this, the GDPR establishes positive obligations for controllers to process data in lawful, fair, and transparent means and principles for obtaining consent.[48] Moreover, the GDPR affords a host of explicit rights to data subjects who are subject to processing.[49]
Recommendations
While this brief post was unable to delve into areas of the law that may be implicated by the processing of student data, it is clear that the current legal landscape in the United States is far from sufficient. Instead of taking a process data first, protect data later approach, educational institutions should err on the side of not processing data until reasonable legal protections are enacted. Where educational institutions do process data, they should ensure the written notice and consent based off the processing is lawful, fair, and transparent. This ensures compliance with various sectoral state statutes. Furthermore, institutions should provide explicit detail on (i) each biometric identifier being collection, (ii) the purpose of collection, (iii) the length of time that data will be used and stored, and (iv) the positive rights that parents, legal guardians, and data subjects maintain (e.g., their right to deletion, withdraw consent, object to processing, portability, access, correction, etc.). This approach would align with the requirements under FERPA, sectoral state BIPA laws, and the GDPR’s requirements. In addition, biometric processing educational institutions should acquire consent from data subjects and their legal guardians. This should be conducted in a manner that ensures individuals are fully informed of their rights and the purpose, scope, and duration of the processing as well as any risks related to it. Before processing, educational institutions should consider whether the objectives of processing can be achieved through alternative means. While technological innovations offer a vast array of benefits, we must ensure that strong legal frameworks are in place to protect the most sensitive data of those who will lead the charge of future innovation.
[1] Steve Robinson, Maine School Will Begin Biometric Scanning, Data Collection for Students, The Maine Wire (Feb. 2, 2024),https://www.themainewire.com/2024/02/maine-school-will-begin-biometric-scanning-data-collection-for-students/.
[2] Id.
[3] Stefan P. Schropp, Biometric Data Collection and RFID Tracking in Schools: A Reasoned Approach to Reasonable Expectations of Privacy, 94 N.C. L. Rev. 1068, 1071 (2016).
[4] Biometric Data, Innovatrics, https://www.innovatrics.com/glossary/biometric-data/#:~:text=Biometric%20data%20is%20defined%20as,palm%20prints%2C%20and%20hand%20geometry.
[5] Robinson, supra note 1 at “Jamie Selfridge’s Letter to Parents.”
[6] identiMetrics Platform, identiMetrics, https://www.identimetrics.net/platform#identiMetricsPlatform (last visited Feb. 20, 2024) (identimetrics contends that no fingerprints are stored and are unable to be recreated from the encrypted numerical template they reside within. It assures that the software is completely safe and secure and touts its signatory status to the Future of Privacy Forums “Student Privacy Pledge.”)
[7] Samuel Crankshaw, Caribou High School Plans to Fingerprint Students. We’re Demanding Answers, ACLU Maine (February 13, 2024), https://www.aclumaine.org/en/caribouopenrecords.
[8] Melissa Lizotte, Caribou school abandons plan to track students with fingerprint technology, Bangor Daily News (Feb. 13, 2024), https://www.bangordailynews.com/2024/02/14/aroostook/aroostook-education/caribou-abandons-plan-fingerprint-technology-track-students/.
[9] See generally Daniel Castro, Luke Dascoli and Gillian Diebold, The Looming Cost of Patchwork of State Privacy Laws, Information Technology & Innovation Foundation at “Introduction” (January 24, 2022), https://itif.org/publications/2022/01/24/looming-cost-patchwork-state-privacy-laws/.
[10] See Daniel J. Solove, A Brief History of Information Privacy Law, Proskauer on Privacy 1-24 to 1-45 (2006) (detailing the timeline and reasons behind enacting privacy laws ranging from the 1966 Freedom of Information Act (FOIA) to the Electronic Communications Privacy Act of 1986 to the Health Insurance Portability and Accountability Act of 1996 to the Fair and Accurate Credit Transactions Act of 2003).
[11] See Carol Li, A Repeated Call for Omnibus Federal Cybersecurity Law, 94 Notre Dame L. Rev. 2211, at 2213-14 (2019).
[12] 20 U.S.C. § 1232g(a)-(b).
[13] Id. at (b). But see id. (b)(1)(A)-(L) (detailing the various exceptions to the written consent requirement).
[14] Protecting Student Privacy, U.S. Department Of Education at “Subpart A – General § 99.3 what Definitions apply to these regulations?,” https://studentprivacy.ed.gov/ferpa.
[15] Family Educational Rights and Privacy Act, Electronic Privacy Information Center at “Protections Offered by FERPA” https://epic.org/family-educational-rights-and-privacy-act-ferpa/.
[16] 20 U.S.C. §1232g(a)(4)(B)(i).
[17] Biometrics in Schools: A Privacy Information Guide, identiMetrics at “Concern #1 and #2,” https://www.identimetrics.net/biometrics-info/student-privacy-guide.
[18] See Solove, supra note 10 at 1-38.
[19] Id. (citing 15 U.S.C. § 6502(b)(1)(A)).
[20] Benjamin Herold, COPPA and Schools: The (Other) Federal Student Privacy Law, Explained, Education Week (July 28, 2017), https://umainesystem-my.sharepoint.com/:w:/r/personal/hannah_babinski_maine_edu/_layouts/15/Doc.aspx?sourcedoc=%7B59BB44E5-1320-418B-8A02-2565A18A3B57%7D&file=February%20Blog%20Post.docx&action=default&mobileredirect=true&DefaultItemOpen=1&nav=eyJjIjozOTk1ODUxNTR9&login_hint=devin.b.forbush%40maine.edu&ct=1708975686878&wdOrigin=OFFICECOM-WEB.MAIN.REC&cid=0d0c964b-07e2-4eed-adce-404e58ef345d&wdPreviousSessionSrc=HarmonyWeb&wdPreviousSession=cfd29c0c-a40e-4e04-8a8a-83727ef467b7.
[21] Stacy Feuer, Probing the FTC’s COPPA Proposals: Updates to Kid’s Privacy Rule Follow Agency’s Focus on Technological Advancements, ESRB (Jan. 8, 2024), https://www.esrb.org/privacy-certified-blog/probing-the-ftcs-coppa-proposals-updates-to-kids-privacy-rule-follows-agencys-focus-on-technological-changes/.
[23] See id.
[24] Nerissa Coyle McGinn & Chanda Marlowe, A Roundup of State Laws Related to Children’s Privacy, Loeb & Loeb LLP (August 2023), https://www.loeb.com/en/insights/publications/2023/08/a-roundup-of-state-laws-related-to-childrens-privacy.
[25] See Kirk Nahra, Ali A. Jessani, & Genesis Ruano, State Child Privacy Law Update, WilmerHale (Feb. 28, 2023), https://www.wilmerhale.com/insights/client-alerts/20230227-child-privacy-law-update.
[26] Keely Quinlan, Maine could have strongest data privacy law in nation if bill passes, State Scoop (Feb. 7, 2024), https://statescoop.com/maine-strongest-data-privacy-law-2024/ (explaining that efforts in Maine to pass a biometric data protection law, along with a general data privacy law, failed in 2023 and 2022. Yet, the proposed bills by Rep. O’Neil would provide some of the strongest protections afforded to data subjects, including a private right of action).
[27] 740 Ill. Comp. Stat 14/1 to 20.
[28] Tex. Bus. & Com. Code. Ann. § 503.001(a)-(e).
[29] Wash. Rev. Code. § 40.26.020.
[30] See 740 Ill. Comp. Stat 14/15(b); Tex. Bus. & Com. Code. Ann. § 503.001(b); and Wash. Rev. Code. § 40.26.020(1)(a)-(b).
[31] See 740 Ill. Comp. Stat 14/15(c); Tex. Bus. & Com. Code. Ann. § 503.001(c)(1); and Wash. Rev. Code. § 40.26.020(2)(a).
[32] See 740 Ill. Comp. Stat 14/15(e)(1)-(2); Tex. Bus. & Com. Code. Ann. § 503.001(c)(2); and Wash. Rev. Code. § 40.26.020(3)(a)-(f).
[33] See 740 Ill. Comp. Stat 14/15(a)-(d); Tex. Bus. & Com. Code. Ann. § 503.001(c)(3); and Wash. Rev. Code. § 40.26.020(3)(d)-(e).
[34] Keely Quinlan, Maine could have strongest data privacy law in nation if bill passes, StateScoop (February 7, 2024), https://statescoop.com/maine-strongest-data-privacy-law-2024/#:~:text=O%27Neil%20told%20StateScoop%20last,Data%20Privacy%20and%20Protection%20Act.
[35] H.P 1094, 131 Leg. First Spec. Sess. § 9067(1)(A)-(C) (Me. 2023).
[36] Id. at § 9068.
[37] See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, at Art. 1, 5, 6, & 44 (General Data Protection Regulation, “GDPR” hereinafter).
[38] Id. at Art. 8.
[39] Id. at (1).
[40] See id.
[41] Id. at (1).
[42] Id. at Recital 32
[43] Id. at Art. 9.
[44] Id. at (2)(a).
[45] See id. 2(a)-(j). These grounds range from the processing being necessary for protecting the vital interests of the data subject, reasons of public health, to reasons of substantial public interest.
[46] See id. at Art. 22.
[47] Id. at Recital 71.
[48] Id. at Art. 5-7.
[49] See id. Ch. 3, Art. 12 to 23.