Stop Right There: Will Privacy Rights Stall the Future of Biometrics in the Automotive Industry?
Biometric technologies have become an essential component of present-day automotive design. From safety to convenience, biometric technologies are completely altering the way drivers access, interact with, and operate modern cars.
What exactly is biometrics? Merriam-Webster defines biometrics as “the measurement and analysis of unique physical or behavioral characteristics (such as fingerprint or voice patterns) especially as a means of verifying personal identity.” Biometric authentication is the security procedures and applications that utilize these unique intrinsic characteristics to verify identity, usually for the purposes of granting access to a physical or digital domain.
Biometric technologies have become an integral part of our daily lives over the past decade. Today, we routinely use biometric technologies to unlock our smart phones with a facial scanner or fingerprint reader, to direct our smart speakers to perform various functions or to access secured areas when our faces are recognized and authenticated. And these uses are only increasing. In fact, the general field of biometrics is projected to have a value of approximately $69 billion by 2025.
In the automotive industry specifically, biometric technologies promise to open pathways to the ultimate driving experience. Through greater use of biometrics, automakers are striving to “connect” the driver more directly to the vehicle, thereby creating a more personalized, comfortable, and stress-free driving experience.
Fingerprint scanners remain one of the most widely used forms of biometric technology in the automotive industry. Hyundai pioneered this technology in 2018 when it became the first auto manufacturer to introduce smart fingerprint technology, which allowed drivers to both unlock and start their cars. Kia expanded on this use with the introduction of fingerprint technology on the 2022 Kia K9, which distinguishes between multiple user profiles that can be personalized for climate control, as well as mirror and seat positions.
We are also starting to see iris/retinal scanners appearing in the automotive design landscape. The human iris is very similar to a fingerprint in that it has its own set of unique features and patterns that allow for individual recognition. Retinal scanners use an invisible infrared light to record these features, which are then analyzed and used in applications similar to fingerprint scanners. Although this technology is relatively new, Hyundai Motor Group recently patented an iris authentication technology it plans to incorporate into its vehicles in the near future.
Even more cutting edge is biometric facial recognition technology, which uses an infrared light source to illuminate the driver’s face that is then recorded and analyzed by the vehicle’s onboard systems. Hyundai Motor Group recently announced that its first EV, the Genesis GV60, which will be available this year in Europe, will be the first commercial vehicle with facial recognition technology. As reported, the new technology will allow drivers to access and start the vehicle without a key much like when you open your smart phone. The feature, dubbed Face Connect, uses sensors connected to a deep-learning image processing controller. Apparently anticipating pushback from data privacy advocates, Genesis promises that all biometrics data will be stored on the vehicle’s internal security chip only rather than in a cloud or central server.
Automotive biometrics coupled with artificial intelligence and machine learning also appear to be on the verge of mainstream adoption by automakers. Using sensors and cabin cameras, automakers can use biometric data and deep learning algorithms to monitor and analyze certain driver conditions such as distraction, drowsiness, or impairment, which can allow the vehicle to autonomously react accordingly. In addition to safety, automotive biometrics and AI can be used to detect and analyze facial expressions, body movement, breathing patterns, and heartbeat rate to assess the state of the driver and then make responsive adjustments to comfort systems like music, climate control, lighting, seats, and interior cabin features.
This boom in biometric development over the past decade has become the catalyst for what many refer to as the identification revolution. As the world continues to transition into a digitally connected global ecosystem, the need to protect personally and commercially sensitive data is becoming more and more pronounced. As the use of biometric technologies becomes more widespread, they likewise are becoming of greater concern for data privacy advocates. The intersection of these two competing interests is proving to be a hotly contested battlefront. In fact, many states have enacted or introduced legislation aimed at preventing private entities from collecting biometric information without disclosure and consent despite the numerous safety and convenience benefits of the technology.
In 2008, Illinois passed the Biometric Information Privacy Act (BIPA), becoming the first state to enact a biometric data privacy law. BIPA defines a “‘biometric identifier’” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” BIPA highlights the importance of protecting this information by explaining that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” Under BIPA, entities that use and store biometric identifiers must comply with certain notice and consent requirements.
Although several other states also now have broad biometric privacy laws on the books, only BIPA provides a private right of action for recovering statutory damages when the act is violated. While California's Consumer Privacy Act (CCPA) does address the protection of biometric data, a private right of action arises only in limited situations such as unauthorized exposure due to inadequate security procedures and failure to comply with consumer requests.
A recently filed potential class action suit alleging that Subaru of America’s (SOA) driver monitoring system (DMS) captures and transmits biometric data in violation of BIPA has placed the automotive industry squarely in the crosshairs of privacy advocates. According to the lawsuit, SOA collects biometric data by scanning drivers’ biometric identifiers, which it then transmits as telematics data without drivers’ consent and/or without supplying written notices pursuant to the requirements of BIPA.
As alleged more specifically in the complaint, SOA’s DriverFocus monitoring system “collects and stores data regarding the driver’s facial features,” which allows the vehicle to recognize profiles of up to five different drivers. Pursuant to predetermined settings, the system then automatically adjusts features such as climate control settings, mirror positioning and seat configuration to suit the specific driver’s preferences.
In addition to adjusting comfort settings, the DMS scans and utilizes “the driver’s biometric identifiers and/or biometric information — particularly, the person’s retina/iris and face geometry — to recognize drivers and determine if the driver is either facting forward and focused on the road, or ‘distracted and drowsy,’” the complaint alleges.
Other highly sensitive data purportedly accessed by SOA according to the complaint includes “mechanical conditions or incidents involving the vehicle, such as crash severity sensor data; vehicle time, speed and location; vehicle-occupants’ search content; data relating to phone calls make through the system; and vehicle performance data, such that is automatically retrieved, recorded, and transmitted to Subaru.”
The complaint further alleges that this biometric information is stored “on the same onboard computer Subaru routinely accesses” through its Starlink telematics system. Although drivers can prevent the transmission of this telematic data by disengaging the DMS, “doing so deprives them of the crucial safety benefits the DMS provides,” the lawsuit contends. “Subaru’s policies thus leave drivers between a rock and a hard place: forego standard safety features, or entrust their highly-sensitive biometric data to Subaru despite its failure to comply with BIPA.”
In addition to unspecified monetary damages, the complaint seeks injunctive relief, including an order preempting SOA from “capturing, collecting, using, storing, disclosing, or disseminating” biometric information without notice to and permission from the driver. BIPA provides a statutory remedy of $5,000 per violation, which if interpreted as an individual violation each time the DMS is engaged, SOA could potentially be subject to a very significant financial penalty.
Similar class actions under BIPA have resulted in multimillion-dollar settlements or verdicts. For example, Facebook agreed to a $650 million settlement, Google paid $100 million, and a jury recently returned a $228 million verdict against freight operator BNSF for using fingerprint scans acquired from truck drivers.
Although the SOA litigation is still in its infancy, U.S. District Judge Jorge L. Alonso recently denied a motion by SOA to compel arbitration in the case, which means the potential class action will likely proceed to trial unless a settlement is reached. In sum, the court held that SOA was not entitled to enforce the arbitration provision in a financing agreement between the plaintiff and the dealership where she purchased the vehicle, which was not a party to the lawsuit. In support of his ruling, Judge Alonso cited a U.S. Seventh Circuit Court of Appeals opinion from earlier this year, CCC Intelligent Solutions v. Tractable, in which the Court held a third party did not have the legal right to enforce an arbitration agreement between other parties.
In so holding, Judge Alonso emphasized that “Subaru of America, Inc., has put forth no evidence, let alone clear and convincing evidence, that plaintiff made any representation to induce Subaru of America, Inc., to rely, to its detriment, on the arbitration clause. Nor has Subaru of America, Inc., put forth any evidence of detrimental reliance.”
We will be following closely to see how this seminal case unfolds.
Copyright Nelson Niehaus LLC
The opinions expressed in this blog are those of the author(s) and do not necessarily reflect the views of the Firm, its clients, or any of its or their respective affiliates. This blog post is for general information purposes and is not intended to be and should not be taken as legal advice.