We've been using Windows Hello for business purposes for a while now, but I was recently asked about how our end users consent to the collection of biometric data. I believe that while biometrics aren't directly collected, they create a profile that can verify them, so I wonder if a specific policy is necessary. Additionally, we don't force users to use biometrics. How does your company handle this? Do you have specific policies around acceptable use regarding biometric data, or do you simply rely on users accepting Microsoft's terms when they enroll?
1 Answer
In our company, due to state privacy laws concerning biometrics, we have a specific workflow in our IT service management tools. Employees have to request Windows Hello and explicitly accept the terms about biometric data collection before they get access to the feature. It’s crucial for us to ensure compliance, especially with regulations like BIPA in Illinois.
If you're interested, you should look into that lawsuit—it highlights the importance of written consent regarding biometrics.
Also, just a note: the biometric data captured by Windows Hello is a mathematical representation and isn't reversible to original biometric samples. Here’s the official documentation for more info: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/how-it-works#biometric-data-storage.
Interesting approach! We usually emphasize privacy too, but haven’t focused much on Windows Hello. I agree that having a clear policy could help clarify consent—maybe we’ll implement something similar to what you have.