By: Lily Keene
Biometric data is not protected under federal law. Therefore, data privacy regulation is left to state and local governments. Amazon Go stores first opened in 2018 and use what the company calls its “Just Walk Out Technology.” Shoppers scan a mobile app and are tracked using computer vision, sensor fusion, and deep learning technology as they place items in their carts. Consumers can use the Amazon Shopping app to scan the store QR code, enabling them to shop and walk out of the store. Amazon’s technology automatically detects when products are taken from or returned to the shelves. It also tracks a customer’s virtual cart and checks them out via the linked Amazon account when they leave the store. According to the U.S. Department of Homeland Security, “biometrics” is defined as unique physical characteristics that can be used for automatic recognition. With the development of technology, biometric data is now being gathered and processed everywhere.
Due to increased demand for advanced contactless payments, as part of its Amazon Go cashier-less convenience stores, Amazon unveiled “Amazon One,” an innovative technology that lets shoppers pay for groceries by scanning the palm of their hands. The technology uses palm-scanning biometrics to verify buyers during transactions, simplifying, speeding up, and securing the contactless payment process. Customers can create their biometric profile at an Amazon One location by linking their palm and payment card to the service.
A small, specialized infrared payment scanner maps and digitally renders the unique vein structures in the individual’s palm by hovering the palm over the scanner. As a result of reading 500 million data points, the palm vein scanner converts the data into an encrypted code to generate an individual’s biometric identity. Amazon One creates these profiles by establishing a consumer palm “signature” using machine learning technology. The scanners can identify someone in seconds without skin contact. Amazon stores palm data in the cloud.
New York City passed a law in January 2021, requiring businesses to display signs to notify customers that they are collecting their biometric information. Amazon Go stores are being accused of using biometric data by scanning the palms of their customers to identify them and using deep learning algorithms, computer vision, and sensor fusion to identify consumers, track where they go in the store, and determine what products they purchase based on the shape and size of their bodies. According to the complaint, Amazon Go stores did not post signs regarding biometric tracking for fourteen months after the law was passed. The complaint alleges that Amazon failed to disclose that they convert and retain biometric identifier information despite posting a sign on March 13, 2023. In the lawsuit, the plaintiff seeks a declaration that Amazon violated the law, an order requiring Amazon’s compliance, and damages.
New York City’s biometrics ordinance applies to commercial establishments, defined as food and drink establishments, places of entertainment, and retail stores, that collect, retain, convert, store, or share biometric identifier information from customers. The ordinance provides that regulated businesses are required to place clear, conspicuous notices near all customer entrances.
The lawsuit’s outcome could depend on whether the court views an individual’s body shape and size as biometric information. In the complaint, the plaintiff refers to NYC Admin. Code § 22-1201’s definition of a biometric identifier in the context of the law as “a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”
Additionally, the outcome will depend on whether the court finds that Amazon violated NYC Admin. Code § 22-1202. In 2021, the Commissioner of Consumer and Worker Protection adopted a rule to implement the Biometric Identifier Information Law. Commercial establishments covered by such sections must display a sign of at least 8.5 inches by 11 inches, clearly and conspicuously, at each entrance used by customers. The sign must inform them of any collection, retention, conversion, storage, or sharing of biometric identifier information.
While there are clear benefits to using biometric data for identification and authentication, there are concerns. Amazon uploads biometric information to the cloud, raising unique security risks. As it becomes more common, companies and the government are building databases to store the biometric data of their customers, employees, and citizens. These databases can be hacked or used for purposes that could be used to commit fraud or identity theft. Consumer trust could be a significant barrier to widespread adoption.
As a result, the company could face a steep price. If a judge certifies the thousands of people that have been to the store since the law took effect and Amazon is found liable, the company could be forced to pay estimated tens of millions of dollars. Companies should consider taking affirmative steps to ensure their stores adequately post signage if collecting biometric data.
These developments should be carefully monitored by attorneys advising clients on data privacy issues, including in-house attorneys, to investigate whether and how their company uses biometric data. Moreover, only a few states have enacted biometric privacy laws. Therefore the extent and limits of biometric data collection, storage, and use must be clarified. Biometric laws still need to keep pace with the rapid development and advancement of technology. As states and cities enact more data privacy and security laws, biometric laws should be a priority for legislators and businesses. Increasing biometric privacy lawsuits, arbitrations, and legislative proposals will likely keep attorneys interested in biometrics.
Student Bio: Lily Keene is a second-year law student at Suffolk University Law School. She is a staff writer for the Journal of High Technology Law. She graduated from the University of New Hampshire with a Bachelor of Arts in Communication, with a focus in business.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.