Last updated: October 2023
In the United States, many states and cities, including but not limited to Illinois, Texas, and the city of Portland, have passed laws that have notice and consent requirements for how companies use, share, and store biometric data that can be used to identify individuals. If you have drivers who reside or operate vehicles in these jurisdictions, these laws may apply to your use of Camera ID. For more information about Camera ID, see Samsara's Biometric Data Retention and Destruction Policy.
The law in this area is changing rapidly. The information provided is not intended to be legal advice or a substitute for legal advice. If you have any questions, please contact your sales representative.
Summary of Key Requirements
The following list summarizes the key requirements for U.S. cities and states outlined above and is not intended to be exhaustive:
-
Illinois: The Illinois law (here) requires companies to inform individuals in writing—before any biometric data is collected or captured—that their biometric data is being collected, stored, used, or disclosed; inform them of the specific purpose and length of term for which the biometric data is being collected, stored, and used; and also to obtain consent from them or their legally authorized representative in a written release. In addition, companies have to make a written policy available to the public about how they retain and destroy biometric data.
-
Texas: The Texas law (here) sets retention guidelines for biometric identifiers and requires companies to inform individuals and obtain their consent before capturing biometric indentifiers for commercial purposes.
-
City of Portland: The City’s ordinance (here) prohibits the use of face recognition technologies by private entities in places of public accommodation within Portland city limits. The law provides an exemption, however, “[f]or user verification purposes by an individual to access the individual’s own personal or employer issued communication and electronic devices.” To the extent that your use of Camera ID is prohibited by the Portland ordinance, you should not enable Camera ID in your Dashboard settings.
Because there are biometric privacy statutes (as noted above), that require consent before collecting or capturing biometric data, we strongly encourage you to incorporate a notice and consent process into your driver onboarding. For your convenience, we've included the following consent form and policy examples. Before using these examples, you should make sure they work for your intended use of Camera ID.
|
Consent to Collection of Biometric Data We use Samsara’s hardware and software technology to manage our fleet and improve driver safety. The Camera ID feature will collect, store, and process information about your face for purposes of assigning drivers to vehicles, trips, and safety events in the Samsara dashboard. The facial recognition information used by Camera ID may include biometric data regulated under applicable law. The facial recognition information used by Camera ID is processed using Amazon Web Services (AWS) cloud-based software. Camera ID information is retained until 184 days after [insert company name] either deactivates you from its Samsara account or disables Camera ID, at which point the Camera ID information, including any biometric data, will be permanently deleted. More information about Camera ID may be found at Samsara’s website: https://www.samsara.com/support/biometric-data-retention-and-destruction-policy. Optional for Texas but required for Illinois: [A copy of our Biometric Data Policy is available on request.] By signing below, you consent to Samsara's and [insert company name]’s collection, use, disclosure, and storage of your biometric data as described above. Signature: __________________________________________________ Name: ______________________________________________________ Date: ________________________ |
|
[Insert company name] Biometric Data Retention and Delection Policy Purpose We use Samsara’s hardware and software technology to manage our fleet and improve driver safety. Samsara’s Camera ID feature uses facial recognition information to enable us to assign drivers to vehicles, trips, and safety events in the Samsara dashboard. This enhances safety by increasing the efficacy of Samsara’s driver-based insights and also helps us maintain accurate logs of our operations. Policy Our policy is to protect, store, and delete any biometric data in accordance with applicable laws and regulations, including, but not limited to, the Illinois Biometric Information Privacy Act. Retention and Destruction of Biometric Data Camera ID information will be retained until 184 days after [insert company name] either deactivates you from its Samsara account or disables Camera ID, at which point the Camera ID information, including any biometric data, will be permanently deleted. |
Last updated: October 2023
Samsara recommends always receiving consent before collecting sensitive personal information from individuals. In the European Union and the United Kingdom, the UK/EU General Data Protection Regulation (“GDPR”) and the laws of EU Member States contain requirements for how companies can use, share, store, or otherwise process “biometric” information that can be used to identify individuals, including some of the information used by Camera ID. For more information about Camera ID, including our retention of biometric information, see Samsara's Biometric Data Retention and Destruction Policy.
The following list is a summary of key UK/EU GDPR requirements and is not intended to be an exhaustive list:
-
The UK/EU GDPR treats “biometric data for the purpose of uniquely identifying a natural person” as a special category of personal data. Thus, entities wishing to process such data must ensure they have an appropriate legal basis to do so.
-
As for other features like audio recording and collection of location data, it is important to weigh the privacy impact of those features against your intended use.
-
The law in this area is changing rapidly. The information provided is not intended to be legal advice or a substitute for legal advice. If you have any questions, please contact your sales representative.
Last updated: October 2023
Samsara recommends always receiving consent before collecting sensitive personal information from individuals. In Canada, Canadian privacy laws contain requirements for how companies can collect, use, share, store, or otherwise process personal information. Biometric information, including the biometric information leveraged by Camera ID, is considered personal information under Canadian privacy laws, and is considered sensitive. As such, explicit and informed consent is generally required for its collection and use.
In the Canadian province of Quebec, there are additional conditions and restrictions for the collection and use of biometric information. These are set out in sections 44 and 45 of Quebec’s Act to establish a legal framework for information technology (here) and include (but are not limited to):
-
A requirement that a person’s identity not be verified or confirmed by means of a process that allows biometric characteristics or measurements to be recorded, except with the express consent of the person concerned. An express consent must be voluntary, which means that the individual must be provided with an alternative if they do not consent.
-
A requirement that the Commission d’accès à l’information (CAI) be notified in advance of the creation of a database of biometric characteristics and measurements.
The CAI has published a guide discussing these and other applicable requirements here. Additionally, in Quebec, organizations must ensure that their collection and use of biometric information complies with the Quebec Charter of Human Rights and Freedoms.
For more information about Camera ID, including our retention of biometric features, click here.
The following list is a summary of key Canadian Privacy Law requirements and is not intended to be an exhaustive list:
-
Canadian privacy laws consider biometric information to be sensitive personal information. Thus, entities wishing to process such data must generally obtain informed and explicit consent to do so.
-
As is the case for other features like audio and video recording and collection of location data, it is important to weigh the privacy impact of collecting and using biometric information against your intended use. Canadian privacy laws require that the collection and use of personal information be limited to what is reasonable and necessary in the circumstances.
-
Since biometric information is personal information, it must be processed in compliance with all other requirements of Canadian privacy laws, including requirements relating to information security, limiting retention, data subject rights and transparency.
-
Additional requirements and restrictions apply if collecting and using biometric information in the province of Quebec.
The law in this area is changing rapidly. The information provided is not intended to be legal advice or a substitute for legal advice. If you have any questions, please contact your sales representative.
Comments
0 comments
Please sign in to leave a comment.