In what could become a wake-up call for the casino industry, a federal court in Illinois awarded $228m in damages last October in a class-action lawsuit against a railroad company for collecting fingerprints of customers without obtaining their written consent.
The use of biometric technology, such as facial recognition, is on the rise in land-based and online casinos, but so are privacy laws in states such as Illinois and it is not clear how biometrics and privacy can coexist.
“The Illinois biometric law includes data deletion requirements, which could conflict with access requirements under other privacy laws,” said David Opderbeck, a law professor at Seton Hall University in Newark, New Jersey.
“Casinos with business in multiple jurisdictions will need to make a reasonable effort to comply with differing requirements,” Opderbeck told VIXIO GamblingCompliance in an email.
Perhaps a harbinger of the era of artificial intelligence, the technology of biometrics can enhance security at casinos and provide more convenience for guests.
On the other hand, critics argue companies use biometrics as an invasive tool to identify and track unsuspecting consumers.
Texas and Washington state have joined Illinois in passing standalone biometric laws regulating the collection of faceprints, fingerprints and retinal scans, among other things, by non-governmental entities.
In 2022, lawmakers in California, Kentucky, Maine, Maryland, Massachusetts, Missouri and New York considered biometric privacy legislation.
The sponsor of the unsuccessful bill in Maine, Democratic State Representative Margaret O’Neill, told Pluribus News her legislation is likely to be re-introduced this year.
“This is a big deal for all of us; it affects the kind of society we live in. It’s your fingerprint or your face or your gait,” O’Neil said.
The American Civil Liberties Union (ACLU) predicts at least 20 percent of state legislatures will introduce biometric privacy bills this year, and the ACLU plans to launch a multi-state campaign to protect consumer privacy.
Moreover, “perhaps eventually, a comprehensive federal law” regulating privacy law could become a reality, according to Opderbeck, the Seton Hall law professor.
“I don’t think the use of biometric information will be banned overnight,” Opderbeck said.
“The question will be around notice, consent, access, correction and retention. We’ll probably also see law and policy grapple with the synergies between biometric information, other personally identifying information, and artificial intelligence.”
Mei Lee Ngan, a computer scientist at the National Institute of Standards and Technology in the U.S. Department of Commerce, said her agency “cannot speculate on what other branches of government may or may not do” regarding federal regulation of biometrics.
Opderbeck noted the General Data Protection Regulation (GDPR) in Europe is more comprehensive than the patchwork of privacy laws in North America.
There are three very simple rules for complying with the GDPR, according to Tony Allen, CEO of Age Check Certification Scheme in the United Kingdom.
“Number one, don’t collect any personal data,” Allen said during a January 18 webinar sponsored by iGaming Business.
The reason for the third rule, Allen said, is that companies should develop their own privacy policies to reflect what they actually do, “not something that’s trying to get you out of a legal hole.”
“Get a lawyer to check it, but don’t get them to initiate it,” he said.