Purpose and Statutory Framework
This Biometric Information Privacy Policy ("Biometric Policy") describes the practices of Marcus Naulin ("we," "us," or "our") regarding the collection, retention, disclosure, protection, and destruction of Biometric Identifiers and Biometric Information. It is published in compliance with, and adopting the disclosure standards of:
- Illinois Biometric Information Privacy Act ("BIPA"), 740 ILCS 14/1 et seq.;
- Texas Capture or Use of Biometric Identifier Act ("CUBI"), Tex. Bus. & Com. Code § 503.001;
- Washington Biometric Identifiers Act, Wash. Rev. Code § 19.375;
- New York City Biometric Identifier Information Law, NYC Admin. Code § 22-1201;
- California Consumer Privacy Act / California Privacy Rights Act, Cal. Civ. Code § 1798.140(ae) (Sensitive Personal Information);
- The Federal Trade Commission's policy statement of May 18, 2023 regarding biometric information;
- Comparable state statutes adopted in or pending in other jurisdictions, including Maryland, Massachusetts, Vermont, Virginia, Colorado, Connecticut, Oregon, Tennessee, Texas (HB 1844), and Florida.
Where any jurisdiction's law provides greater protection, the more protective standard controls.
Definitions
| Term | Meaning |
|---|---|
| Biometric Identifier | A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Does not include writing samples, written signatures, photographs, demographic data, tattoo descriptions, or physical descriptions used by police, unless converted into a numerical biometric template. Excludes samples taken solely for medical diagnosis or treatment. |
| Biometric Information | Information of any kind, however captured, converted, stored, or shared, that is based on a Biometric Identifier and used to identify a specific individual. |
| Capture | Any acquisition, recording, or scanning of a Biometric Identifier, regardless of the device used. |
| Reasonable Standard of Care | The standard of care used by similar operators within the financial-services industry, taking into account the sensitivity of the data and current industry practice. |
When We May Collect Biometric Identifiers
We do not routinely collect Biometric Identifiers as part of our standard mortgage and real-estate services. We may collect or process Biometric Identifiers only in the limited circumstances described below and only with your separate written informed consent obtained through a signed release that complies with the more stringent of any applicable state statute:
- Identity verification. Some lenders, escrow companies, or identity-verification service providers may require a remote identity-verification process that captures a facial-geometry scan and matches it to a government-issued identification photograph. Where such a process is required, we will direct you to the third-party verification service and disclose the third party's biometric practices. We do not retain copies of the biometric template generated by the third party.
- Mobile-application authentication. If we offer a mobile application, you may choose to enable on-device biometric authentication (Touch ID, Face ID, fingerprint sensor) for sign-in. The biometric template never leaves your device; we receive only a yes/no authentication signal.
- Voice authentication. If you elect to authenticate through a voice-based call-center solution, the third-party voice-authentication vendor may create a voiceprint. We do not retain the voiceprint; the third party retains it under its own published biometric policy and applicable law.
- Notarial and remote-online-notarization ("RON") sessions. Some closings require a RON session in which the signing platform performs identity proofing including knowledge-based authentication and, where required by state law, biometric verification of the signer's photo identification. The RON platform retains records under applicable state notary law.
We will not capture, collect, purchase, receive through trade, or otherwise obtain a Biometric Identifier of any individual without first: (i) informing the individual or the individual's legally authorized representative in writing that the Biometric Identifier is being captured or stored; (ii) informing the individual or the individual's legally authorized representative in writing of the specific purpose and length of term for which the Biometric Identifier is being captured, collected, stored, and used; and (iii) receiving a written release from the individual or the individual's legally authorized representative.
Purposes of Collection
Where we are involved in the collection of a Biometric Identifier, the purpose is limited to:
- Verifying the identity of an applicant, borrower, signer, or party to a real-estate transaction.
- Preventing fraud, including straw-buyer schemes, identity theft, and unauthorized signing.
- Complying with applicable federal and state customer-identification, anti-money-laundering, and notarial laws.
- Authenticating returning users on optional in-app or in-portal features that you elect to enable.
We do not use Biometric Identifiers for marketing, advertising, profiling, or any commercial purpose unrelated to the verification, authentication, or compliance purposes above.
No Sale or Disclosure for Profit
We do not sell, lease, trade, or otherwise profit from a Biometric Identifier or Biometric Information. We do not disclose Biometric Identifiers or Biometric Information except: (i) with your separate written consent; (ii) to complete a financial transaction you have requested or authorized; (iii) as required by federal, state, or municipal law, including in response to a valid subpoena or court order; (iv) to a service provider acting on our behalf under a written contract that imposes equivalent biometric protections; or (v) in connection with the merger, acquisition, financing, reorganization, or sale of our business, subject to confidentiality undertakings and applicable law.
Retention and Destruction Schedule
We will permanently destroy any Biometric Identifier or Biometric Information in our possession when the initial purpose for collecting or obtaining it has been satisfied, or within three (3) years of our last interaction with the individual, whichever occurs first. Where state law imposes a shorter retention period, the shorter period controls. Records of authentication signals (yes/no) and audit logs that do not contain Biometric Identifiers or templates may be retained beyond this period for legal and audit purposes consistent with our Privacy Policy.
Storage, Transmission, and Protection
To the extent we hold Biometric Identifiers or Biometric Information, we do so using a Reasonable Standard of Care and in a manner that is the same as or more protective than the manner in which we store, transmit, and protect other confidential and sensitive information, including:
- Encryption of data at rest and in transit using industry-accepted protocols.
- Access limited to personnel with a need to know, with logged access events.
- Network segmentation and intrusion-detection systems.
- Regular vulnerability assessments and remediation.
- Vendor due diligence and biometric-specific contractual safeguards.
- Documented incident-response procedures, including notification consistent with state biometric and breach-notification laws.
Your Rights Regarding Biometric Information
Subject to applicable law, you have the right to:
- Receive a copy of this Biometric Policy.
- Be informed at the time of collection of the specific purposes and duration of use.
- Provide or refuse separate written consent before collection.
- Access and obtain confirmation regarding our collection of your Biometric Identifiers.
- Request correction of inaccurate Biometric Information.
- Request deletion of Biometric Identifiers and Biometric Information, subject to legal-hold exceptions.
- Withdraw consent prospectively without penalty.
- Lodge a complaint with the appropriate state regulator or attorney general.
To exercise any of these rights, contact us at contact@marcusnaulin.com.
State-Specific Provisions
Illinois (BIPA)
Illinois residents have a private right of action under 740 ILCS 14/20 for negligent or intentional violations and may recover liquidated damages of $1,000 (negligent) or $5,000 (intentional) per violation, or actual damages if greater, plus attorneys' fees.
Texas (CUBI)
The Texas Attorney General is the exclusive enforcer of CUBI. Civil penalties may reach $25,000 per violation.
Washington
The Washington Attorney General is the exclusive enforcer under the Consumer Protection Act, RCW 19.86.
New York City
Commercial establishments using biometric identifier technology must post a clear and conspicuous sign at all customer entrances; we do not capture customer biometrics in any physical location.
California
California residents may exercise rights under the CCPA/CPRA, including the right to limit use of Sensitive Personal Information, by following the procedure in our Privacy Policy.
No Third-Party Receipt Without Consent
If we are required by law to disclose Biometric Identifiers or Biometric Information to a third party (for example, in response to a subpoena), we will provide notice to you in advance where lawful and seek a protective order limiting use and onward disclosure.
Children
We do not knowingly collect Biometric Identifiers or Biometric Information from any individual under eighteen (18) years of age. If you become aware that a minor has provided Biometric Information through any service we offer, contact us immediately and we will take prompt steps to delete the data and discontinue any related processing.
Updates to This Biometric Policy
We may amend this Biometric Policy. Material changes will be communicated through the Site, by email, or by other reasonable means. Continued use of services after the effective date of any change indicates acceptance.
Contact Us
Marcus Naulin — Mortgage Planner & Real Estate Pro
Direct: (805) 377-5626
NMLS#: 469645 | DRE#: 01322846
Email: contact@marcusnaulin.com
Website: https://marcusnaulin.com
To exercise privacy rights, request records, opt out of communications, or ask any question about this policy, contact us through any channel above. We respond to written requests within thirty (30) days where feasible, and within statutorily mandated timeframes where shorter periods apply.
