Please ensure Javascript is enabled for purposes of website accessibility

ID.me to drop facial recognition requirement for government agencies

Amid concerns over privacy and data security, McLean-based tech company ID.me announced Tuesday it would drop the facial recognition requirement in its identity verification software, offering a new option to all government clients.

Founded in 2010 as TroopSwap, ID.me works with 10 federal agencies, including Social Security and Veterans Affairs, and 30 states, in addition to more than 500 retailers. The company’s announcement follows the Internal Revenue Service’s Monday announcement that it would drop its plan to require taxpayers to submit to facial recognition to access their online records. ID.me holds an $86.1 million contract with the IRS, which originally hired the company to provide facial recognition services.

All users will be able to delete their selfies or photos at account.ID.me beginning March 1, according to a news release.

“We have listened to the feedback about facial recognition and are making this important change, adding an option for users to verify directly with a human agent to ensure consumers have even more choice and control over their personal data,” ID.me founder and CEO Blake Hall said in a statement.

ID.me said agencies that procured its offline option would be able to verify the identifies of their customers through a video call or an in-person meeting, The Washington Post reported, but did not immediately respond to The Post’s questions of whether agencies would have to pay more for the option.

In January, ID.me told The Washington Post that it had 966 agents to handle video-chat verification for the U.S. The company said in a news release on Jan. 26 that it was hiring an additional 750 video chat agents.

ID.me agents have verified more than 3 million Americans, according to a news release, including the unbanked, homeless people and international users. It has a digital identity network of 73 million users with more than 145,000 people joining daily.

The IRS’ initial plan to require facial recognition for online records access beginning this summer had received scrutiny from legislators as well as tech privacy advocates.

On Thursday, a group of 15 Republican U.S. senators, including former Senate President Pro Tempore Chuck Grassley, sent IRS Commissioner Chuck Rettig a letter expressing concern over the IRS’s plan to implement facial recognition, and also questioning how secure taxpayers’ biometric data would be with the third-party service. On Monday, U.S. Sen. Ron Wyden, D-Oregon, chair of the Senate Finance Committee, sent Rettig a letter urging the IRS to reverse the “implementation of facial recognition screening software for Americans who wish to access their historical tax documents online.”

UPDATED: Va. becomes 2nd state with consumer data protection law

Updated March 2: Gov. Ralph Northam signed the Consumer Data Protection Act on Tuesday. In a statement, sponsor Sen. David Marsden, D-Fairfax, said, “This is a huge step forward. By creating this omnibus bill, we take the lead in data privacy in the United States. This omnibus bill is clear, concise and holds companies accountable for protecting consumer data in providing protections for consumers.” Also, Utah plans to pass an identical bill by the end of the week, Marsden added.

Earlier: 

Virginia is set to become the second state in the nation to enact a consumer data protection law, after Gov. Ralph Northam signs Virginia’s newly passed Consumer Data Protection Act. California was the first state to enforce data protection.

The act, which was passed by the General Assembly last month, would let consumers receive copies of their online data, amend or delete that data, and opt out of allowing big businesses to use the data for marketing or other purposes. It would take effect on Jan. 1, 2023. It affects only corporations that have personal data for at least 100,000 consumers in Virginia, or that make more than 50% of their income from the sale of personal data of at least 25,000 consumers in Virginia. If the bill is approved by the governor, the state’s Joint Commission on Technology and Science also will establish a work group to assess the bill’s implementation and release a study on its findings by this November.

Any fines collected from companies would go toward a “consumer privacy fund” in the state treasury, according to the bill.

That would keep all fines collected separate from the state’s General Fund, so they can be used for more specific purposes — similar to Virginia’s opioid abatement authority, which receives funds from lawsuits against opioid makers and distributors that are set aside for addiction prevention and treatment.

In terms of real-life impact, the bill will make it easier for people to opt out of sharing some personal details with big companies, notes Andrew Miller, vice president of strategy at Workshop Digital, a Richmond-based digital marketing firm. It also will place limits on large companies’ ability to use and sell details about Virginia users’ online lives, down to granular detail like which NFL team they prefer, which blender they bought last year or how often they listen to certain musical artists — if customers decide to opt out.

Virginia’s bill is “not on its face difficult from a compliance standpoint” for businesses, says Ashley L. Taylor Jr., a partner at Troutman Pepper who has a focus on federal and state government regulatory and enforcement matters. “The complexity is created by the fact that California is slightly different, Virginia is slightly different and there are rumblings in Oklahoma” for a data privacy law. But if more states follow the leads of Virginia and California, it could create a “patchwork of laws,” Miller notes.

More state data laws also means a lower chance of a federal bill that would supersede states’ acts and require more regulations, Taylor adds. Also fewer law firms will be willing or able to advise companies on compliance from state to state, since attorneys would have to be experts on how enforcement is taking place in multiple jurisdictions.

Civil enforcement of Virginia’s act, like California’s, would lie with the state attorney general’s office.

Virginia’s legislation would affect more than just the largest companies active here, despite the 100,000-customer benchmark. California’s Consumer Privacy Act of 2018, which allows California residents to opt out of the sale of their personal information and the right to delete some personal information already collected, has “touched every business, even a pizza place that has a rewards program,” Taylor notes. Every website or app that collects data is required to include an opt-out link under California’s law, and Virginia’s statute is similar, although a bit “scaled back,” he says.

Although California’s law, which is based on the European Union’s General Data Protection Regulation (GDPR) act, has had an impact on companies, corporate decisions to shift away from collecting more data also are affecting policies — and bottom lines.

“Google Analytics is way out in front with privacy,” Miller says. “Google and Google Analytics are planning a future … [in which] third-party cookies are going to be phased out in the next year. Chrome will stop allowing cookies to track people.”

Also, Apple has made recent moves to increase customer awareness of data collection, making its Identifier for Advertisers an explicitly opt-in setting with its operating system update set for this spring.

That means that unless an iPhone user selects the option that they want advertisers to track their purchases to measure ad effectiveness, marketers will not have access to that information. What this means for Google and Facebook is a potential loss of billions of revenue, financial analysts predict. Facebook has been in a standoff with Apple over the iOS update and another coming feature, the App Tracking Transparency program, which would require users to opt in to allow apps to track them across different apps and websites.

With these industry-driven changes and the possibility of other states soon following Virginia and California’s lead in consumer data protection, many companies will likely have to make some significant changes in their marketing practices in the next few years. California enacted its legislation, the state attorney general’s office reviewed companies’ websites, and if there wasn’t plain language showing users how to contact the company about data collection, “they got subpoenas,” Taylor says.

Virginia’s effective date of Jan. 1, 2023, should give companies plenty of time to comply, Taylor adds, as long as “the attorney general and the state give [companies] guidance on their regulations and expectations of business. You’ve got to have a target to shoot at. Maybe an open forum, a conference — some type of public conversation. That’s what I’m hoping for.”

Subscribe to Virginia Business.

Get our daily e-newsletter.

Virginia lawmakers advance Consumer Data Protection Act

RICHMOND, Va. — The General Assembly is advancing legislation that allows Virginia consumers more protection with their online data, though opponents say the measure does not include the ability for people to file private lawsuits against companies that breach the proposed law.

The measure is known as the Consumer Data Protection Act in both chambers of the state legislature. The Senate version, sponsored by Sen. David Marsden, D-Fairfax, passed the House 89-9 on Thursday. The House version, sponsored by Del. Cliff Hayes, D-Chesapeake, is awaiting a final vote but was passed by for the day Thursday.

“The consumers should have the right to know what is being collected about them,” Hayes said when introducing the bill.

The data protection act allows consumers to retrieve a copy of their online data, amend or delete this data and opt out of allowing large businesses to sell the data.

Hayes wants businesses to responsibly handle consumer information.

“The bottom line is, we want the controllers to know what their role is when it comes to the protection of individual’s data,” Hayes said during a House committee meeting. “We believe that no matter who you are as an organization, you need to be responsible when it comes to handling of data of consumers.”

The bills apply to businesses that control or process personal data of at least 100,000 consumers per year. It also impacts businesses that handle data of at least 25,000 consumers per year and make more than half of their gross revenue from selling personal data. The businesses must be located in Virginia or serve Virginians.

Under the Consumer Data Protection Act, the attorney general’s office would handle the enforcement of this legislation. The office would handle anything from consumer complaints to the enforcement of fines.

“The attorney general’s office will have the depth and breadth, experience, the investigative tools necessary to know and to follow trends of companies and to make sure that they bring the muscle of that office to the table,” Hayes said.

Microsoft’s Senior Director of Public Policy Ryan Harkins testified in favor of the proposed law.

“We’ve seen dramatic changes in technology over the past couple of decades and U.S. law has failed to keep pace,” Harkins said. “It’s fallen behind much of the rest of the world and failed to address growing challenges of privacy.”

Harkins said that Microsoft has advocated for data protection laws since 2005. He said that the public has lost trust in technology, and passing comprehensive data protection legislation can help win the public’s trust back.

Harkins said that the measure stands alongside leading data protection legislation such as California’s Consumer Privacy Act and aspects of the European Union’s General Data Protection Regulation.

“In some respects, it would go further and provide the most comprehensive and robust privacy laws in the United States,” Harkins said.

Attorney Mark Dix spoke in opposition of the bill on behalf of the Virginia Trial Lawyers Association. He said the measure would hurt Virginians because it is “going to close the courthouse doors.”

“It provides no cause of action whatsoever for the consumer, the person who is actually hurt,” Dix said. “It provides no remedy whatsoever for the consumer.”

Dix argued that having the attorney general’s office handle the enforcement of this legislation limits the consumer.Using a hypothetical scenario, Dix asked what would happen to Virginians if there was an administration change and the Attorney General did not prioritize data protection.

The Consumer Data Protection Act would take effect in January 2023. Marsden told a Senate subcommittee that allows time to “deal and field any other tweaks to the bill or difficulties that someone figures out.”

Capital News Service is a program of Virginia Commonwealth University’s Robertson School of Media and Culture. Students in the program provide state government coverage for a variety of media outlets in Virginia.

 

Subscribe to Virginia Business.

Get our daily e-newsletter.