Credit: Matthew Modoono/Northeastern University

Amazon is offering $10 in store credit to anyone who hands over their palm prints for use at the company's register-free brick and mortar stores—a move that may make check-out quicker and more convenient for customers, but comes with plenty of privacy risk, say two Northeastern scholars of law and marketing.

"Biometric is permanent," says Ari Waldman, professor of law and computer science at Northeastern. "You can change your name, , and fairly quickly, but you can't change your fingerprint, or the unique characteristics of your palm. And once you give a your , it could track you forever with that information."

Amazon introduced palm scanners last year, called Amazon One devices, so customers could pay for goods at its in-person stores by waving their hands over the devices on their way out. To cash in on the $10 credit, Amazon users have to enroll their palm prints in the scanners and link the information to their accounts.

The devices are available at 53 Amazon stores across the United States, including some Whole Foods Markets.

The e-commerce company isn't the first to incorporate biometric data into its products and services—people can unlock their Apple iPhones, Google Pixel smartphones, and Samsung Galaxy phones with their fingerprints or by facial recognition. And Amazon won't be the last company, either, says Yakov Bart, associate professor of marketing at Northeastern.

"We're seeing an explosion of biometric-based systems in business and if anything, it will just keep becoming more prevalent as cloud processing enables companies to use the data without needing to make the software and hardware for themselves," says Bart, who is also the Joseph G. Riesman research professor in the D'Amore-McKim School of Business.

Consumers largely benefit from the convenience—entering your palm print makes for a faster, more seamless check-out process, for example. But it's not always clear what a company will do with consumers' once it has it. Amazon sold its facial recognition software to police departments, a practice it paused after civil liberties advocates called out the inaccuracy of such face-matching programs.

And current laws are not only "insufficient" to protect consumers' privacy, Waldman says, many are also designed with the interest of the company in mind.

"The law has the capacity to regulate this business model, but policies that rely on piecemeal approaches are insufficient," he says, referring to Europe's General Data Protection Regulation and state-level approaches such as the Biometric Information Privacy Act in Illinois.

Offering to buy users' biometric information is "particularly problematic," Bart says, because it opens up a host of potential discriminatory practices.

"Once you start setting the price for people's information, you have to wonder whether companies start offering different prices for different people—my information might be less valuable to a brand than a billionaire's, for example," he says.

On a broader level, pay-for-data models "enforce the notion that our privacy is a commodity for sale, rather than a right," Waldman says.