“It’s just such a powerful technology I think it’s going to be too hard for companies to stay away from it and we will probably gradually see that implementation happening more and more,” said Tyler Thompson, a data privacy shareholder for Greenberg Traurig, LLP at the firm’s Denver office.
Launched in 2020, Amazon One is a system that utilizes biometric technology to allow Amazon customers to pay for their groceries at Whole Foods Market. The system utilizes scanners and sensors to detect unique features and characteristics of the palm of your hand that are distinct to you. According to a news release from Amazon, this unique technology utilizes cameras to capture details like lines and ridges; even vein patterns in your hand, creating a palm signature.
Now launching in all 500-plus Whole Foods Markets across the U.S. by the end of the year, Amazon One could become a staple in businesses moving forward.
“Amazon One is designed to deliver the highest levels of customer privacy and data security,” wrote Gerard Medioni, vice president and distinguished scientist for Amazon Web Services Applications.
Medioni breaks down five facts about Amazon One and this biometric technology — “with Amazon One, the customer is always in control; Amazon One palm recognition is highly secure; your palm data is safeguarded in the AWS Cloud; we do not share your palm data with government agencies or advertisers; and customers love the convenience of Amazon One.”
Other businesses that utilize Amazon One include travel retailers like the Hudson Group in airports; entertainment venues like Hollywood Casino in Detroit, Michigan; and sports stadiums including Coors Field in Denver.
Brought to Coors Field in May, Amazon One delivers convenience to guests including shorter wait times, quicker access to buildings, the ability to link their loyalty memberships, and an easier way to grab their beer, explained John McKay, senior director of food service operations and development for the Colorado Rockies.
Amazon One has also been implemented in select Panera Bread locations across the country. It allows customers to access their MyPanera account information to use and acquire loyalty rewards, as well as pay for their orders.
Restaurants like Panera Bread are attracted to this technology, explained Thompson, because it can be safer than other technologies like email address passwords, and social security or phone numbers that can be easily replicated. “It’s very hard to impersonate … so that’s why it’s attractive for companies because it is very identifiable and very hard, if kind of impossible, to fake,” added Thompson.
According to Guy Sereff, a privacy and cybersecurity partner for Michael Best & Friedrich LLP at its Broomfield office, there’s no readily available technology that would be able to replicate your hand.
For Amazon customers, there is AWS. Part of this service is AWS Cloud where all of your data and information is stored. According to Amazon, this system is “backed by more than 300 cloud security tools and 100,000 security partners from around the world.” It utilizes “multilayered security controls” and a complex cloud infrastructure to encrypt and secure data.
But with that much security comes built-in public trust explained Sereff.
“If we’re talking about cloud systems … once you put that data out there, there is risk … of a data breach and that data getting out,” added Thompson.
Like most technology, once it’s built, someone will learn how to break it. Then it’s refortified, and broken again. A cycle, Sereff explained, that’s occurred since “time immortal.”
With more and more companies using this third-party technology, they run the potential of facing litigation if there is ever a breach of privacy or data.
“There’s just risk in doing this because there’s a lot more regulation around it,” Thompson noted.
With the rise of high-dollar lawsuits in the world of data and cybersecurity, come more comprehensive state laws.
Colorado recently passed a law related specifically to biometric data, similar to the Biometric Information Privacy Act in Illinois.
Senate Bill 21-190, also known as the “Protect Personal Data Privacy” bill, was signed by Gov. Jared Polis on July 7, 2021, and took effect July 1. From this bill, sponsored by Democratic Sen. Robert Rodriguez and Republican Sen. Paul Lundeen, and Democratic Rep. Monica Duran and Republican Rep. Terri Carver, came the Colorado Privacy Act within the Colorado Consumer Protection Act.
According to the final fiscal note, this bill “addresses consumers’ rights to privacy, companies’ responsibility to protect personal data and authorizes the Attorney General and district attorneys to take enforcement action for violations.”
In 2020, Democratic U.S. Sen. Jeff Merkley introduced the National Biometric Information Privacy Act. According to his proposal, this bill would “prohibit private companies from collecting biometric data … without consumers and employees’ consent, or profiting off this data.” Merkley was joined by Vermont U.S. Sen. Bernie Sanders to introduce the legislation. The bill has had no movement.
“Because of the potential liability … there have been some companies that back out of biometrics [because] it’s not worth it,” added Sereff.
Venues like Red Rocks Park and Amphitheatre run by Denver Arts & Venues were considering using this technology. Implemented by the venue’s ticketing provider, AXS, Amazon One was to be used for entry/ticket scanning. However, the venue’s concern was the physical challenges of the technology, wrote Brian Kitts, the director of marketing and communications at Denver Arts & Venues, to Law Week via email.
Some of these demands included venue logistics, the tricky aspects of outdoor venues, not being equipped to provide covered areas for the machinery, sufficient electrical access and high upload speeds, explained Kitts.
“Provided Red Rocks is able to overcome the physical logistics, we’d certainly consider hosting new technologies again,” added Kitts.
As this technology continues to rise, Thompson feels its future is limited because he feels there are those who are uncomfortable with it, fearing their information will be used for something other than security.
“I tend to be skeptical … because I don’t know if the public has an appetite for it,” added Thompson.
On the other hand, there are other countries that are successfully implementing this technology for security and surveillance, so it could potentially be too attractive of a product for large companies or governments to pass on, Thompson explained.
“It is so easy to identify somebody by biometric information; to identify them in a wide variety of contexts. Whether they’re logging into a computer with a thumbprint or walking into a store or walking down the street.”