How-to guide: How to comply with biometric information protections (USA)

This guide will assist in-house counsel, private practice lawyers, and compliance personnel in understanding how to comply with biometric information protections. Biometric technologies develop faster than laws and regulations, so it is an important area to keep track of.

Understanding how to comply with legal protections for biometric information is important for many groups. Some of these groups are businesses and employers (to safeguard employee and customer data) and technology developers (to protect user privacy).

This guide covers:

Overview of biometric information protection
Practical guidance on how to comply with legal protections

This guide can be used in conjunction with the following: Quick views: Key data privacy and data security terms and Regulation of data brokers; How-to guides: How to determine and apply relevant US privacy laws to your organization and How to draft a privacy policy, and privacy and data security provisions in contracts; and Checklists: Understanding privacy laws in the US and Privacy and data security law training.

Section 1 – Overview of biometric information protection

1.1 Biometric protections

Biometrics are biological and physical characteristics used to identify individuals. Common examples include fingerprints, faces, and retina patterns. Facial geometry, often used to identify a person for purposes such as unlocking a smartphone, is another common type of biometric identifier. However, these are just the most well-known types. Researchers suggest that other unique biometric identifiers include the shape of an ear, walking and sitting patterns, distinct body odors, hand vein patterns, and facial expressions. These traits expand the scope of what biometrics are.

Biometric information is unique to a particular person and cannot be falsified as readily as other forms of identification.

Companies are increasingly using biometrics to verify identity, enhance security, and improve user experience. Common applications include using biometrics to unlock devices, authorize financial transactions, grant access to secure premises, monitor attendance, and personalize customer interactions. Employers, retailers, financial institutions, and technology providers might incorporate biometric systems to reduce fraud, streamline processes, and replace or supplement passwords and access cards. These uses raise significant privacy and compliance considerations.

1.2 Federal laws and regulations

At present, there is no overarching federal law or regulation that provides protection for biometric information. Such federal protection as there is tends to take the form of context-specific laws. A brief overview of those laws that provide federal protection for biometrics is below.

1.2.1 Federal Trade Commission Act

The Federal Trade Commission Act (FTCA) applies to entities engaged in interstate commerce, excluding specific industries like banks and non-profits. Section 5(a) of the FTC Act (15 USC, section 45(a)(1)) prohibits ‘unfair or deceptive acts’ in commerce, which can include the misuse or misrepresentation of biometric information. The FTC has taken action against companies that mislead consumers about their use of biometric information.

Example

In 2022, the FTC reached a settlement with Everalbum, Inc., a photo app developer. The FTC alleged that Everalbum misled users of its Ever mobile app when it said that it would not apply facial recognition technology to users’ content unless they affirmatively chose to activate that feature. The company, however, automatically activated its face recognition feature – which could not be turned off – for almost all mobile app users. As part of the settlement, Everalbum is now required to obtain consumers’ express consent before using facial recognition technology on their photos and videos. In addition, if the company markets software to US consumers for personal use, it must obtain users’ express consent before using biometric information it collected from them.

The FTC has also provided guidance for companies regarding the use of biometric identification in advertising and marketing. The guidance focuses on two areas for FTC enforcement: deception and unfairness. Each of which is explored further below.

Deception

In the context of biometric identification, deception in violation of section 5 of the FTCA can take two forms.

First, there are false or unsubstantiated marketing claims that relate to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies that use biometric information. Claims about biometric information technologies are subject to the same rules as claims made in the advertisement of any other product or service: the person who makes a claim must have a reasonable basis for their claims at the time the claim is made. For example, claims that a certain technology is unbiased will be regarded as deceptive if those claims are true only for certain populations and if such limitations are not clearly stated.

For further information on this first type of deceptive trade practice, see Quick views: Deceptive trade practices and the laws prohibiting them and Understanding enforcement of deceptive trade practices and Checklist: Mitigating risks related to deceptive trade practices.

The second aspect is deceptive statements about the collection and use of biometric information. The rule here is simple: do not make false statements. A company should not make false statements about the extent to which they collect or use biometric information, or whether or how they implement technologies using biometric information. A company also must ensure that they are telling the complete truth. For example, a company should not make an affirmative statement about some purposes for which it uses biometric information but fail to disclose other uses of the information.

Unfairness

Under section 5 FTCA, a practice is unfair if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.

In the context of biometric information, according to the FTC guidance, the collection and use of biometric information can create a serious risk of harm to consumers, and the harms that stem from the improper collection and use of biometric information ‘are not reasonably avoidable by consumers if the collection and use of such information is not clearly and conspicuously disclosed or if access to essential goods and services is conditioned on providing the information.’ Failure to make disclosure will be regarded by the FTC as unfair.

1.2.2 Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities, which include health plans, healthcare clearinghouses, and healthcare providers that conduct specific healthcare transactions electronically. It enacts the protection and confidential handling of protected health information (PHI). PHI includes, but is not limited to, biometric identifiers, including finger and voice prints. HIPAA requires the implementation of appropriate safeguards to protect the privacy and security of PHI, and grants individuals rights over their health information.

For more information, see Checklist: Understanding privacy laws in the US and How-to guides: How to determine and apply relevant US privacy laws to your organization and How to manage your organization’s data privacy and security risks.

1.3 State laws

In the absence of federal legislation, states have started to take the lead on biometric privacy. States that have enacted comprehensive consumer privacy laws often define protected information broadly enough to include biometric information. Three states – Illinois, Washington, and Texas – have enacted laws that provide specific protection against unauthorized disclosure of biometric information. Other states are likely to follow suit, probably using one of the existing state laws as a model. Information is provided below on the protections mandated by those states.

1.3.1 The Illinois Biometric Information Privacy Act (BIPA)

In 2008, the Illinois legislature unanimously enacted the Biometric Information Privacy Act (BIPA). This law empowers individuals to control their biometric information and prevents private companies from collecting such information unless they:

provide written notification about the data being collected or stored (eg, a fingerprint stored for app login);
specify in writing the purpose and duration for which the data will be collected, stored, and used (eg, fingerprint stored for app login convenience for six months); and
obtain written consent from the individual (eg, user signs a form of consent before sharing their fingerprint).

Biometric information under BIPA includes retina or iris scans, fingerprints, voiceprints, hand scans, facial geometry, DNA, and other unique biological information. Beyond notice and consent, BIPA prohibits companies from selling or profiting from this data.

BIPA provides that a private entity that holds biometric identifiers or information must not sell, lease, trade or otherwise profit from that data. It may disclose or share such information only in limited circumstances:

when the individual or their authorised representative consents;
when the disclosure is needed to complete a transaction requested or authorised by the individual; when required by state, federal or local law; or
when required by a valid court warrant or subpoena.

The entity must store, transmit and protect biometric data using the reasonable standard of care expected within its industry and at least as securely as it protects other confidential or sensitive information.

BIPA also contains provisions relating to the storage and retention of the data collected. Section 15 of BIPA provides that a private entity that possesses biometric identifiers or biometric information must have in place a written policy that establishes a retention schedule for the data. The policy must also contain guidelines for the permanent destruction of biometric identifiers and biometric information ‘when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first.’ The retention schedule and destruction guidelines must be followed unless a court issues a warrant or subpoena for the data. The entity’s policy must be ‘made available to the public,’ although BIPA does not set out how the policy must be made available.

BIPA remains the nation’s most protective biometric privacy law, uniquely allowing consumers to sue companies that violate it and recover damages of no less than $1,000 for a negligent violation or $5,000 for an intentional or reckless violation, or the consumer’s actual damages, whichever is greater.

Most of the biometric privacy laws and bills introduced across various states are based on BIPA, incorporating similar private rights of action and damages provisions. These laws and bills could significantly elevate the compliance risks and liability for companies that collect and process biometric data. Companies, especially those handling biometric information from residents of Illinois and other states with or contemplating BIPA-like laws, should ensure their data handling and processing practices comply with the requirements of relevant legislation.

1.3.2 Washington State Legislature, Chapter 19.375 Revised Code of Washington

Chapter 19.375 of the Revised Code of Washington (RCW) establishes regulations regarding the handling of biometric information. The law, enacted in 2017, prohibits any company or individual from entering biometric information (the term used in the legislation is ‘biometric identifier’) into a database without first providing notice to the individual, obtaining consent, and offering a mechanism to prevent the information from being used for a commercial purpose.

According to RCW 19.375.010, a ‘biometric identifier’ refers to data generated through automatic measurements of an individual’s biological traits, such as fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns used for identification purposes. However, the term does not encompass physical or digital photographs, video or audio recordings, or data generated from these mediums. Additionally, it excludes information gathered for healthcare treatment, payment, or operations as outlined under HIPAA.

The law also uses the terminology ‘commercial purpose,’ which it defines as a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier. However, ‘commercial purpose’ excuses security or law enforcement use. The law does not apply to financial institutions or their affiliates governed by Title V of the federal Gramm-Leach-Bliley Act of 1999 and its associated rules, nor to activities permitted under Title V of HIPAA (as outlined above).

1.3.3 Texas Capture or Use of Biometric Identifier Act (2008)

The Texas Capture or Use of Biometric Identifier Act (CUBI) requires that persons and businesses capturing biometric identifiers (a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry) for commercial purposes must provide notice to the individual and obtain consent before collection. The term ‘commercial purposes’ is not defined in the Act.

A person who possesses a biometric identifier of an individual that is captured for a commercial purpose is prohibited from selling, leasing, or disclosing biometric data, except to law enforcement.

CUBI mandates the protection of collected data through reasonable care and requires destruction of the data within a reasonable time, but no later than one year after the purpose of its collection has expired, unless an exception applies. The Texas Attorney General exclusively enforces CUBI and can impose civil penalties of up to $25,000 per violation.

The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), enacted on June 22, 2025 and effective January 1, 2026, will make some significant changes to CUBI, regarding the use of biometric information by artificial intelligence systems. Section 2 of TRAIGA amends CUBI to provide that an individual has not been informed of, or consented to, the capture or storage of a biometric identifier for a commercial purpose solely because there is an image or other media containing one or more of the individual’s biometric identifiers on the internet or on some other publicly available source ‘unless the image or other media was made publicly available by the individual to whom the biometric identifiers relate.’

TRAIGA further provides that CUBI does not apply to biometric identifiers involved in ‘developing, training, evaluating, disseminating, or otherwise offering artificial intelligence models or systems,’ unless the system is used for the purpose of ‘uniquely identifying a specific individual,’ or the development or deployment of an artificial intelligence model or system for law enforcement or security purposes.

If a biometric identifier captured for training an artificial intelligence system is later used for a commercial purpose, the person possessing the identifier is subject to penalties.

1.3.4 Texas Data Privacy and Security Act (2023)

The Texas Data Privacy and Security Act (TDPSA) became law on June 16, 2023, making Texas the 11th state to enact comprehensive consumer data privacy legislation.

Under the TDPSA, biometric data is considered ‘sensitive’ data (ie, data that may not be processed without the consent of the subject of the data) only when processed to uniquely identify an individual.

Similar to other state privacy laws, the TDPSA defines ‘biometric data’ as information generated from automatic measurements of an individual’s biological traits, such as fingerprints, voiceprints, eye retinas or irises, and other unique biological patterns (potentially including ‘faceprints,’ though these are not explicitly mentioned). The definition specifically excludes physical and digital photographs, as well as video or audio recordings and any data derived from them. This exclusion aligns with definitions in other state privacy laws, but the TDPSA differs from BIPA, which applies to scans of facial geometry created from photographs, despite generally exempting photos and recordings.

The TDPSA provides that consumers have the right to know if their personal data is being used or processed and have the right to have errors in the stored data corrected, or to have their data deleted. Consumers also have the right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling.

1.4 Litigation

The litigation landscape continues to evolve in this practice area and there have been a number of class actions related to biometric data:

Patel v Facebook, Inc., 15-3747 (N.D. Cal. Feb. 26, 2021) resulted in a $650 million settlement, one of the largest consumer privacy settlements in US history, based on claims that Facebook collected user biometric data without consent. In this case, Facebook was using facial-recognition technology to analyze whether the user’s Facebook ‘friends’ were in photos uploaded by that user in order to tag them. The technology scanned uploaded photos and detected whether they contained images of faces included in their database by extracting the various geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature or map. The technology then compared the face signature to faces in Facebook’s database of face signatures that had already been matched to the user’s profile). The court held that these actions were in violation of BIPA.
A settlement in excess of $75 million was reached in connection with two lawsuits: Rogers v BNSF Railway Company, No. 19-cv-03083 (N.D. Ill.) and Rogers v BNSF Railway Company, No. 2019-CH-04393 (Cook Cnty., Ill.). The suits, brought on behalf of truck drivers that were required to register their fingerprint information as part of an ‘auto gate system’, alleged that BNSF’s Illinois facilities failed to comply with BIPA. Specifically, according to claimants, BNSF collected and stored this information without receiving driver consent and without informing drivers of its data retention policies, both of which are required under BIPA.
In Cothron v White Castle Sys., Inc., decided February 17, 2023, the Illinois Supreme Court held that a separate claim would accrue under BIPA with every scan or transmission of biometric identifiers or biometric information without prior informed consent. This could have resulted in substantial damage awards against businesses. In response, the State enacted Illinois SB2979, effective August 2, 2024, which significantly limits an individual’s right of recovery by clarifying that a private entity commits only a single violation of BIPA regardless of the number of times it collects, discloses, or otherwise obtains or disseminates an individual’s biometric identifier or biometric information using the same method of collection.

The cases above illustrate the potential monetary liabilities that can result from failure to comply with the laws and rules regarding biometric data. The financial damage done by a violation is often accompanied by reputational damage. The public has grown increasingly concerned about privacy issues, and a finding that a company does not take compliance with biometric privacy – privacy relating to the most fundamentally personal information in a person’s life – seriously could lead to a loss of consumer and public confidence in a company.

Section 2 – Practical guidance on how to comply with legal protections

There is currently no general requirement in the United States for organizations to maintain a formal biometric compliance program. Nor is there a uniform format or set of national standards governing such programs. However, because a growing number of privacy and data security laws address biometric information, almost all organizations should implement policies and practices to manage the collection, storage, and use of this data.

Although specific obligations differ across jurisdictions, a common compliance framework is emerging. It typically includes key elements such as notice and consent, data minimization, security safeguards, retention limits, and destruction policies. The information below highlights these generally applicable elements and offers practical steps for compliance.

The points outlined here are general guidance only. When developing a compliance plan, organizations must always refer to the specific laws and regulations applicable in each jurisdiction in which they operate.

2.1 Notification and consent

To simplify compliance with laws conferring protections on biometric information, it is best to limit the collection and use of biometric information to those situations in which authoritative identification is necessary, rather than just desirable.

Where the collection of biometric information is necessary, many states prohibit entities from collecting or obtaining an individual’s biometric data unless they:

notify the individual of the data’s collection or storage;
- inform the individual of the purpose and duration of the data’s collection, storage, and use; and
- obtain the individual’s consent.

2.1.1 Notification and information

The relevant statutes should be reviewed to determine the notice, information and consent required. Where notice of the collection or storage of biometric data is required, this should be provided in writing. The notice should detail the purpose and duration of the data collection, storage, and use to ensure that the consent obtained is informed.

2.1.2 Consent

Where relevant laws require that consent be obtained, companies need to establish procedures that ensure that they have appropriately obtained consent from the individuals. For example, under the BIPA, a written release executed by the subject of the biometric information or the subject’s legally authorized representative must be obtained. The execution of the written release may be by ‘an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record,’ which is the definition of an electronic signature for the purposes of the Uniform Electronic Transactions Act. Failure to obtain the release prior to the collection of the data may expose the collector to civil liability. In order to prove compliance, a company should adopt a system for obtaining consent that allows for the retention of a record of the consent. This record should be retained as long as the data is retained.

Most laws on biometric information collection are silent as to whether a business may refuse to provide goods or services unless the information is provided; however, Colorado law, effective July 1, 2025, prohibits refusing to provide a good or service to a consumer, based on the consumer’s refusal to consent to the controller’s ‘collection, use, disclosure, transfer, sale, retention, or processing of a biometric identifier unless the collection, use, disclosure, transfer, sale, retention, or processing of the biometric identifier is necessary to provide the good or service.’

The consent should also include a clear and explicit manner by which the individual may terminate their consent, or the event that will be deemed as terminating consent (eg, where an employee’s data is concerned, voluntary termination of employment). If consent is withdrawn, the data should be deleted.

A person’s consent may be combined with notice, if the terms of both the notice and consent are set out clearly. An example in respect of the collection and use of an employee’s data is:

[Employer] will collect and store your fingerprints and will also take and store a retinal scan of your eye. This will be done for the purpose of verifying your identity for access to [Employer’s] timekeeping system and for granting access to secured locations or premises. Your fingerprint and retinal scan will not be disclosed to another party without your consent unless that disclosure is required by law or by a valid legal subpoena. Your fingerprint and retinal scan data will be permanently deleted from [Employer’s] systems within [30 days] of your separation from employment with [Employer] pursuant to [Employer’s] biometric data retention policy. A copy of the biometric data retention policy will be provided to you upon request. Alternately, that policy is available at [website] or in the Human Resources Department office.

By signing below, you consent to [Employer’s] collection, use, and storage of your fingerprint for the purposes set out above.

Further consent will be necessary for any disclosure or dissemination of biometric information beyond the purpose set out in the original collection.

Even if written consent is not required by the law of the jurisdiction, it is nonetheless best practice to obtain a written release executed by the subject of the biometric information. The release should identify the information to be collected, the purpose for collection (eg, ‘to ensure accurate identification for entry into restricted areas’), and the length of time the information will be retained.

2.2 No sale of data

Many states ban entities from selling, leasing, trading, or profiting from an individual’s biometric information. State laws that allow such practices typically require the individual’s consent before the transaction.

If the state law prohibits selling, leasing, trading, or profiting from biometric information, no such transaction may be negotiated or consummated. If the law allows such a transfer with consent, the company’s policy regarding biometric information (see Section 2.5, below) should require clear and unambiguous consent and this should be obtained prior to such a transfer.

2.3 Restricting disclosure of biometric information

Many states restrict entities from disclosing or sharing biometric data unless the individual consents or an exception applies (eg, it is necessary to complete a financial transaction requested by the individual or it is required by law). The original notice given to individuals should mention the possibility of further sharing or disclosing data, and the company’s biometric information policy should provide such a mechanism. Consent should be obtained before each individual share or disclosure. A blanket consent signed at the same time notice is given probably will not be considered sufficient.

2.4 Biometric information security

Many states require entities to store, transmit, and protect biometric information in accordance with industry-specific standards of care, ensuring the level of protection is at least equivalent to that used for other confidential and sensitive information.

Appropriate data security measures must be in place prior to collecting or storing biometric information. Biometric information is very sensitive information, largely because it cannot be changed in the event that it is lost or stolen.

Encrypt all biometric information. This is an essential element of security and should not be overlooked. Encryption makes the data unreadable to anyone who does not have the encryption key, making unauthorized disclosure of data far less likely.

The FTC has also prepared a useful guide – Safeguards Rule: What Your Business Needs to Know – for protecting the security of customer information. While the Safeguards Rule is directed towards financial information, the Rule provides useful guidance for any type of business. The Rule includes seven specific practices that businesses should follow:

designate a qualified individual to oversee the information security program;
develop and implement written policies and procedures to control risks to customer information;
designate and implement appropriate security measures to control access to customer information;
take steps to reasonably safeguard customer information in electronic form;
train employees on the information security program;
develop and implement procedures to respond to unauthorized access to or use of customer information; and
regularly monitor and test the effectiveness of the information security program.

The FTC Safeguards Rule, while not binding on businesses other than financial institutions, provide best practices for the use of biometric information.

2.5 Policy creation

Many states mandate that entities create a publicly accessible written policy outlining a retention schedule and destruction guidelines for biometric data. The policy should be posted on a company’s website, with potential customers or employees, as applicable, directed to that site. The policy should be freely available and not restricted to certain users.

2.6 Destruction of biometric evidence

Many states require the destruction of biometric information either when the purpose for its collection has been fulfilled or within three years of the individual’s last interaction with the entity, whichever comes first. Data destruction is not a simple process – to do it well involves more than merely deleting files. To implement a destruction policy, and ensure that the data is truly destroyed, an outside contractor should be called in. The use of professionals, such as a company AAA-certified by the National Association for Information Destruction (NAID), is a way to ensure effective destruction.

2.7 General steps

In addition to the foregoing measures, there are some general steps that can be taken to ensure that your organization complies with laws relating to biometric information protection.

2.7.1 Manual

As best practice, the organization should reduce their practices and policies into a written document for internal use and reference by employees and contractors, as relevant. While there may not be a template for a biometric business practice and policy manual, there are several documents that help provide guidance on the specific items to be included. For example, materials can be gleaned from the document FTC Recommends Best Practices for Companies That Use Facial Recognition Technologies. In a 2023 Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, the FTC noted that the recommendations in the report on best practices for companies that use facial technology remain relevant, such as reasonable data security protections for biometric information and appropriate data retention and disposal policies and procedures.

Another guidance document is the International Biometrics & Identification Association’s Privacy Best Practice Recommendations For Commercial Biometric Use. This document includes recommendations for openness and accountability and also recommends a policy for ‘Problem Resolution and Redress.’

Consider including the following aspects within a written manual:

Details of responsibilities for governance and oversight:
- set out responsibility for biometric compliance and security; and
- document procedures for periodic audit, policy review, and incident escalation.
Specification of the scope and lawful use of biometric information:
- define biometric information and identify systems within scope;
- specify permitted purposes and prohibit unrelated use of biometric information; and
- require any new purpose or change in processing to be documented and justified and detail any processes to be followed.
Documentation of the inclusion of privacy by design processes:
- document the processes in place to ensure that privacy and security are built into product design and procurement;
- detail how to apply data minimization practices; and
- avoid use in sensitive areas.
Details of security and data management:
- document the processes to protect images and biometric data through encryption, access control, and secure transfer. Prevent unauthorized scraping or secondary use; and
- define retention periods and ensure secure deletion when no longer needed.
Documentation of processes to provide transparency and notice to those whose biometric information is to be collected:
- give clear, timely notice before any biometric collection (signage, online prompt, or layered notice);
- explain what is collected, why, retention, access, and deletion rights; and
- review and update notices regularly.
Details of consent and individual control processes:
- obtain clear consent before collection or new use of biometric data;
- record and manage consent decisions;
- allow users to disable features and delete stored data; and
- require express consent before identifying unknown individuals.
Establish processes for third-party handling:
- contractually require third parties to meet equivalent standards; and
- restrict onward sharing without approval and, where needed, obtain user consent.
Document processes for rights, training, and review:
- provide processes for access, correction, and deletion requests;
- train staff on privacy and biometric handling; and
- audit systems and update policies to reflect new technology and law.

2.7.2 Training

Training should be provided to persons and departments within the organization who present a risk of noncompliance with biometric laws. Those most at risk of noncompliance include security personnel, and members of the IT department responsible for, or involved in, the collection and storage of data. Other departments or staff members, such as those who use the data that has been collected (eg, marketing or research personnel) also pose a risk of noncompliance. The training should emphasize obtaining consent for the collection of data, secure storage of data, and the permissible uses of the data. Destruction of unused data should also be covered.

2.7.3 Updates

Biometric privacy is a relatively new area, and it is constantly evolving. A company should regularly monitor laws and regulations, as well as news resources and internet sites for developments or discussions of potential developments.

Additional resources

Oluwatosin Reis, et al., Privacy Law Challenges in the Digital Age: A Global Review of Legislation and Enforcement
X. Wang, et al., Beyond surveillance: privacy, ethics, and regulations in face recognition technology
R. Zhao, et al., Visual Content Privacy Protection: A Survey