When using biometrics in advertising, consent is not enough.
IAB Canada, a trade association for Canada’s interactive marketing and advertising industry, recently issued policy paper on using biometrics in digital advertising.
This follows recent guidance from the Office of the Privacy Commissioner of Canada on biometrics.
Here is what you need to know:
To use biometrics, you need:
- Explicit consent, but also:
- Necessity: Do you need it? Can you do it in a less invasive way?
- Fitness for purpose: Does it work?
In the US: Biometric data is also sensitive. You would need to meet:
- Data minimization and consent requirements under most of the U.S. state privacy laws.
- Abide by the right to limit for California.
- Mind your “knowing” data sharing for the purpose of FTC Act and state consumer protection laws (like California UCL), as well as “wiretapping” laws like CIPA.
- If the use involved profiling or targeted advertising or “sale” of the data, this may be outright prohibited in some states (especially when involving the data of minors).
- If not prohibited, you also need a risk assessment (DPIA).
Read more here.
[View source.]
