M&E Journal: The Biometric Data Concerns Around Virtual and Augmented Reality Applications

By Ed Klaris, CEO, and Alexia Bedat, Associate, KlarisIP

A particular type of private information became the focus of increasing attention in 2017: biometric data. Biometric data is digital data obtained by measuring an individual’s characteristics, such as retina or iris scans, fingerprints, voiceprints or hand and face geometry. In May of 2017, Washington became the third state to enact a biometric privacy statute (following Illinois in 2008 and Texas in 2009) while six other states have similar bills pending.

Across the pond, companies have started preparing for the new data protection regime coming into force in May 2018, the General Data Protection Regulation (GDPR). A number of non-EU countries have also furthered the trend, enacting biometric privacy laws or issuing updates on the collection of biometric data.

These legislative efforts have coincided with significant improvements in two distinct but related technologies: augmented and virtual reality. Augmented reality (AR) overlays digital data over the real world, while virtual reality (VR) is a fully immersive artificial environment, experienced through sensory stimuli in a headset. Both AR and VR can collect significant amounts of biometric data.

These technologies, once considered remote, are becoming increasingly common aspects of the consumer experience, scanning not just inanimate surroundings but human eyes and faces as they do so. Individuals in 2018 will unlock smartphones with a mere glance, visualize virtual new furniture in their homes, experience sporting events without leaving their desks and find VR experiences at every major film festival.

The relevant question is not whether a consumer will be exposed to AR or VR, but when. VR and AR thus offer a helpful and relevant prism through which to consider the potential of biometric data, how it is regulated, and what this means for companies in these areas.

VR/AR and biometric data

While these technologies could eventually track a range of biometric data, two particular functions of VR and AR will feature prominently in 2018: eye-tracking and facial recognition.

* VR and eye tracking: Until now, VR has functioned by a combination of sensors that track a user’s head, body and hand movement. As of January 2018, eye tracking technology can be added to this list. Tobii, for example, released a VR development kit for eye tracking to be fitted with the HTC Vive, which was received with enthusiasm at CES 2018. Eye tracking is accomplished by projectors that create a pattern of near-infrared light on a user’s eyes. Sensors take high-frame-rate images of both those patterns and the user’s eyes. Those patterns are then fed through image processing algorithms that find specific details in the patterns and use these to calculate the eyes’ position and gaze point.

VR and tech aficionados have already rejoiced at the prospect of increased “foveated rendering” and avatars that can mirror real time blinking. Adding eye tracking to VR headsets, however, offers more than an improved visual experience. It grants VR companies the tools to track where users look, what grabs their attention, for how long and how it makes them feel. Combining eye tracking with tools that can detect a user’s emotional state by reading facial muscle movement or pupil dilation potentially converts every individual donning a headset in the privacy of his or her own home into an instant consumer study.

* AR and facial recognition: When combined with facial recognition, the potential of AR is equally impressive. Consider augmented glasses capable of gathering and displaying the social media profile of any person coming in one’s range of vision, or billboards advertising services tailored to a consumer’s purchasing history. While these scenarios may seem farfetched, AR is already leveraging facial recognition to unlock or adjust the volume of smartphones (iPhone X) and identify an individual’s painting look-alike (Google’s Arts & Culture App). These applications, and others like them, analyze a series of invisible dots (30,000 in the iPhone X’s case) and create a unique and precise depth map of one’s face, which can then be compared to a database of stored images.

While these innovations are exciting, individuals embracing VR and AR as a source of entertainment may be entirely unaware of the breadth of data simultaneously being collected and stored about them. Understanding the biometric data regulation framework is necessary for both the responsible enjoyment and development of AR and VR.

Biometric data collection rules in the U.S. and the EU

Privacy in the U.S. has historically been associated with the four torts identified by Warren and Brandeis in 1890 (intrusion upon seclusion, public disclosure of embarrassing facts, false light and the right of publicity). Since then, only a narrow group of federal statutes have been enacted to protect certain sensitive data from being inappropriately gathered or disclosed.

Until recently, states have largely refrained from regulating the collection of personal data. Three states, Illinois, Texas and Washington, have already enacted specific laws regulating the collection of biometric information. At least six other states are considering enacting their own specific biometric privacy bills: Alaska, Connecticut, Arizona, California, Massachusetts, New Hampshire and Illinois (an amendment to the existing statute). This state law trend is adding complexity to industries that market their products throughout the nation.

The Illinois (2008), Texas (2009) and Washington (2017) statutes are similar insofar as they all regulate the collection, retention and use of biometric data. Entities collecting biometric data must notify the subject that biometric data is being collected and the subject must in turn expressly consent to such collection. The three statutes, however, differ in four key respects: definitions, scope, procedural requirements and availability of a private cause of action. This creates potential uncertainty for collectors of biometric data from people across the U.S.

Defining biometric data

The definition of biometric data in the three statutes includes retina or iris scans, voiceprints and fingerprints. Texas and Illinois specifically call out “hand or face geometry” (i.e. facial scanning). Washington (the most recent statute) does not regulate the collection of hand or face geometry and contains some language that is ambiguous:

“Biometric identifier” means data generated by automatic measurements of an individual’s biological characteristics, such as fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that can be used to identify a specific individual.

“Biometric identifier” does not include a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Actact of 1996.

While Washington expressly excludes “a physical or digital photograph” from its scope, the statute could be interpreted as applying to data generated from “a physical or digital photograph” (for example, data generated by applying facial recognition to a photograph in one’s smartphone library). This ambiguity raises issues that may prove problematic for AR companies, which prefer certainty when rolling out facial recognition features in each state.

Regulation in the EU

In stark contrast to the disparate development of biometric data collection regulation in the U.S., data collection in Europe is well-established and closely regulated. The Data Protection Directive was adopted in 1995 to regulate the processing of personal data within the European Union. On May 25, 2018, the new General Data Protection Regulation (“GDPR”) will apply across all 28 EU member states. Its key objective is to “protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. ” One mechanism by which the GDPR achieves this is the provision of a new framework for the processing of “special categories of personal data,” which include biometric data.

This new framework imposes onerous obligations on any data controllers collecting biometric data from data subjects within the EU, whether the data controller is located in the EU or abroad. A California-based company collecting biometric data from a user residing in Italy, for example, will be caught by the GDPR.

Data collectors must show compliance with the GDPR, including the framework outlined above, by May 25, 2018, at which point, the GDPR will automatically come into force at a domestic level. Many government organizations across the EU, including the UK (Brexit does not affect the implementation of the GDPR), France and the Netherlands have started preparing companies for the GDPR’s effective date. Over the course of 2017, a number of non-EU countries also addressed the collection of biometric data, whether by legislation or the issuance of best practices (such as Japan, India, Israel and Russia).

Impact of biometric statutes

Nearly 40 biometric privacy lawsuits were filed (and in some cases, voluntarily dismissed) in 2017 against tech giants including Google, Facebook, Snapchat, Shutterfly and a number of companies and facilities that have incorporated biometric scanning in their employee time-clock process.

While many class actions are still pending, one court of appeals has already dismissed a lawsuit brought under the Illinois Biometric Information Privacy Act (BIPA) for lack of standing. The case, Santana v. Take-Two Interactive Software, Inc., arose from the “My- Player” feature of video games like NBA 2K15, developed by Take-Two, which allows gamers to create a personalized basketball player that displays a realistic 3D rendition of the gamer’s face (or “avatar”).

Increasing pressure on AR/VR

Outside of the courtroom, biometric privacy legislation already appears to have affected at least one company’s geographic roll-out of its application. In January 2018, Google released an application that matches selfies with historical artwork look-a-likes (Google’s Arts & Culture application). The application requires a user’s consent to proceed after displaying a disclosure that “Google won’t use data from your photo for any other purpose and will only store your photo for the time it takes to search for matches.”

Millions of users downloaded the application. The selfie functionality, however, was not available for users located in Illinois and Texas at the time of download. Those in Washington, however, were able to download and use the selfie tool. While Google did not make a statement either way, the comparatively greater breadth and scope of the Illinois and Texas statues, combined with Google’s continuing litigation under BIPA, suggest that Google may be proceeding cautiously in states with broadly defined biometric privacy laws.

Other companies have previously displayed similar caution in rolling out biometric data collection functionalities dependent on consumer location. A 2016 study by the Information Systems Audit and Control Association (ISACA), notably, found that the majority of surveyed European companies were hesitant to implement AR for business purposes in the EU due to privacy regulations.

In November of 2016, John Hanke, the founder of Niantic, Inc. (the company behind Pokémon Go), echoed these concerns before Congress, calling for greater clarity with European colleagues about the ambiguous interplay between AR and privacy in the EU. Despite Google’s silence on its decision not to make its art selfie application available in Illinois and Texas, the message is clear: the ambiguity and hesitation is no longer confined to Europe. Indeed, Tobii, one of the companies bringing eye-tracking technology to VR, has already stated that application developers should seek explicit consent before any type of eye tracking.


AR and VR can no longer be dismissed as passing trends. Last year witnessed remarkable technological advancements in both AR and VR. It also saw a surge of state biometric data bills and legislation, exposing AR and VR companies to private and state actions.

As courts continue to make their way through the biometric privacy cases, the actual requirements and impact of these statutes will become clearer. Until then, AR and VR companies are expected to consider the location of their consumers and tailor their activities accordingly.

Adequate biometric data disclosures, moreover, may also serve a greater reputational interest. Achieving recognition as both a cutting-edge and responsible developer may be a critical step in securing the consumer vote necessary to do so, and may have the added benefit of slowing down the spread of additional state biometric data laws.


Click here to translate this article
Click here to download the complete .PDF version of this article
Click here to download the entire Spring/Summer 2018 M&E Journal