2022 Marcom Trends - Magazine - Page 18
BIOMETRIC DATA LAWS
Biometric Privacy Laws Are on the Rise
Apple and Google Bring Big Changes to the
Ad Tech Industry
Biometric data laws are growing as part of the privacy landscape in the United States. As
physical biometric data increasingly becomes a preferred means of identification by many
businesses, and particularly by employers, consumer protection concerns abound and
state legislators have been struggling to find an appropriate balance.
While there is no uniform federal biometric data privacy law,
several states in the United States, including Illinois, Oregon,
Texas, California, Washington and New York, either have existing
laws or are in the process of drafting new laws. Although it
remains to be seen how such legislation will change the reliance
upon and use of biometric data, it is clear that there is a need
for businesses to implement formal data security and privacy
frameworks, such as written policies, with respect to the
collection and use of biometric data, whether or not required by
Private Rights of Actions
The Illinois Biometric Information Privacy Act (BIPA) (the first
comprehensive biometric data law in the United States) is the
only state law actually in effect that expressly affords individuals
a private right of action. As a result, BIPA has become a favorite
tool of class action lawyers and an expensive problem for
Other city-level regulations, such as was enacted in Portland,
Oregon in January 2021, also provide private rights of action.
Portland’s city-wide ordinance prohibits the use of facial
recognition technology by private entities in places of public
accommodation. One challenge now facing affected businesses
in Portland is that there is uncertainty around what constitutes
“facial recognition technology,” as well as whether informed
consent creates an exception to the prohibition. Similarly, in
June 2021, the city of Baltimore enacted a Private-Sector Face
Surveillance System Ban, banning the use of facial recognition
technology by individuals and private businesses within the city.
Also in January 2021, the New York State Legislature proposed
the Biometric Privacy Act (BPA), seeking to enhance the privacy
rights of individuals via the implementation of controls around
the collection and processing by private entities of biometric
information. New York City also passed a law requiring
commercial establishments to post clear disclosures at all
18 DAVIS+GILBERT LLP
entrances where consumers might enter, notifying them of the
collection, use and/or sharing of their biometric information.
Although several states have proposed biometric data legislation
that has not advanced, it is likely that lawmakers will continue to
be active and applicable laws will continue to evolve.
What Businesses Can Do Now
• The confluence of privacy, security and societal concerns
have resulted in increased scrutiny over the use of
• In the absence of a consistent federal standard, and in
anticipation of increased state regulation, businesses
should assess their practices and formalize their policies
with respect to the collection and use of biometric data.
• As a general best practice, notice and consent should
be given and received prior to collecting and using
For companies operating at the
intersection of digital media, advertising,
technology and . . . more
With Oriyan’s counsel, creative agencies
and technology companies understand
and uphold privacy . . . more
Richard S. Eisert, Partner/Co-Chair Advertising + Marketing, firstname.lastname@example.org
Gary Kibel, Partner, email@example.com
Two of the biggest names in the advertising technology industry are
making fundamental changes to the way marketers track and target
users using data collected on their platforms.
Apple’s Monumental Changes
With the launch of Apple’s iOS 14.5 last year, Apple changed its
policy regarding app publishers’ collection and use of its persistent
identifier known as the “Identifier for Advertisers” (IDFA). Now,
app publishers on Apple’s platform have to receive a user’s opt-in
consent through Apple’s new “AppTrackingTransparency” framework
at the app level in order to access a user’s IDFA for purposes of
targeted advertising or advertising measurement.
This is a radical change from the prior opt-out regime.
Apple users are presented with a one-time notification that explains
how their IDFA will be used for tracking, and then gives the users the
choice to either opt-in or block an IDFA at the app level (an option
that was previously available to users only as an opt-out option
located in a user’s Apple Settings).
Experts believe that this change will significantly reduce the
percentage of Apple app users who share their IDFA with the app
publishers, disrupting the downstream flow of this information
to ad tech companies, many of which rely on publishers for this
information, and presenting a big challenge for the marketing efforts
of these publishers and the ad tech companies with which they
Changes Brought By Google
Google announced that they would be blocking the use of third-party
cookie technology in the Chrome browser within two years. Like
the IDFA, cookie technology is widely used in the ad tech industry
for retargeting. Then, in March 2021, Google went even further by
announcing that once third-party cookies are phased out, Google will
not build its own alternate method to track users across the web or
use an alternative identifier in its own products. However, perhaps in
part due to increased antitrust scrutiny, Google agreed to delay the
effective date for this major change.
While these changes are explained as steps to protect Apple and
Google users’ privacy, they are forcing the rest of the advertising
industry to create new ways to continue to track user activity and
serve individualized, targeted advertisements.
Impact on Marketers
With these changes, marketers will have fewer authenticated
users to target with ads across the various platforms. As a result,
the ad tech industry is looking for new and creative ways to adapt
as changes in both the technological and privacy landscape
are narrowing their options. One solution is the “Unified ID 2.0”
endorsed by numerous ad tech companies, which proposes a
universal, anonymized user identifier that would require a user
to opt-in once across all digital channels and devices to receive
applicable ads. Many proposals are posted on the open source
The Interactive Advertising Bureau has also introduced an initiative
— Project Rearc — to address the loss of third-party cookies on
these large platforms.
At the same time, some lawmakers and regulators are pushing to
further regulate or even eliminate retargeting users based upon their
online data, which has been derisively referred to as “surveillance
These changes are signs of the changing ad tech privacy landscape,
and marketers and their agencies should be prepared for more
platforms to follow suit. All participants in the online advertising
ecosystem, including publishers, ad tech companies and marketers,
should consider these developments and how best to execute
effective campaigns in this new reality.
What Businesses Can Do Now
• Google and Apple have implemented significant changes
to their platforms that will shrink the pool of authenticated
users to target with ads across other platforms.
• The ad tech industry will have to develop creative new
methods to track and target users, including new industrywide proposals.
• All participants in the online advertising ecosystem
should consider these developments and their impact on
advertising campaigns in this new reality.
TRENDS IN MARKETING COMMUNICATIONS LAW 19