State legislatures are looking for ways to make companies tighten up biometric data practices. Blank Rome attorneys explain it’s imperative that companies using biometric data devote the necessary time, effort, and resources to respond to this rapidly evolving landscape of privacy law.
California has seen a flurry of activity in the area of data privacy law, including the passage of the much-anticipated final amendments to the California Consumer Privacy Act of 2018 (CCPA), the issuance of the California attorney general’s proposed CCPA regulations, and enactment of AB 1130, which provides some fairly significant changes to the state’s data breach notification law.
AB 1130 highlights the continuing trend of states seeking to increase the amount of regulation placed on companies over their use of biometric data, further underscoring the importance that companies must place on ensuring their biometrics practices keep up with the fast-changing landscape of biometric privacy law.
Expanded Definition of ‘Personal Information’
Before the amendment, California’s data breach notification statute defined “personal information” as including either a username or email address in combination with a password or other information that would permit access to an account, or an individual’s first and last name in combination with any one or more data elements:
- Social Security number,
- driver’s license number,
- California identification card number,
- account number or credit card number in combination with any required code or password that allows for access to a financial account,
- financial information, health insurance information, and
- information or data collected through the use or operation of an automated license plate recognition system.
Significantly, AB 1130 expands the definition of “personal information” to include biometric data, which is defined as “unique biometric data generated from measurements or technical analysis of human body characteristics, such as fingerprint, retina, or iris image, used to authenticate a specific individual.”
With that said, excluded from the law’s definition of biometric data are physical or digital photographs, unless used and stored for facial recognition purposes.
As a result of the amendment, if biometric data is included in the personal information that is compromised in a data breach incident, business entities will now have to adhere to the range of breach notification requirements that are triggered by the amended version of California’s breach notification statute.
In addition, AB 1130 also requires companies to provide instructions to individuals whose biometric data has been compromised on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on such data for authentication purposes.
As time and technology has progressed, biometric technologies have become mainstream, with biometric data being commonly utilized across a broad range of different and diverse industries. In response, state legislatures have sought to modernize their privacy laws to address biometric data in several ways.
One way has been through the amendment of state breach notification laws to expand their definition of “personal information” to include biometric data. In addition to AB 1130 in California, several other states have amended their breach notification laws in 2019 to include biometric data, including Arkansas, New York, and Washington.
More importantly, the passage of AB 1130 may accelerate the pace at which states that have yet to add biometric data to their breach notification laws will act to do so.
Furthermore, new state consumer privacy laws, such as the CCPA, also include biometric data within their definitions of “personal information.” Beyond that, the CCPA also requires covered entities to provide notice to consumers as to how biometric data is used, and provides for a private right of action if biometric data is subject to a breach event and the company is found to have failed to have implemented “reasonable” security measures to safeguard such data.
In addition, to combat the risk that biometric data poses—in that once it is compromised, biometric data loses its ability to be used as a secure identifying feature—several states have enacted new laws that focus directly on regulating the collection and use of biometric data by business entities.
In particular, Illinois’ Biometric Information Privacy Act (BIPA) has garnered headlines due to the tremendous amount of litigation the law has generated with consumers alleging violations. The litigatinon has arisen largely from the law’s private right of action provision that permits the recovery of statutory damages ranging between $1,000 and $5,000 by any person who has been “aggrieved” by the law.
Moreover, in addition to the laws currently on the books, a number of other states (and some municipalities as well) have recently introduced biometric privacy bills that feature private right of action provisions which are similar—if not identical—to Illinois’ BIPA.
Combined, moving forward it is clear that state legislatures across the United States will continue to look for ways to force companies to tighten up their biometric data practices, leading to greater regulation over the use of biometric data.
Ultimately, with more states seeking to enact biometric privacy laws, it is imperative that all companies using biometric data in the course of their business activities devote the necessary time, effort, and resources so they can be ready to respond to the rapidly evolving landscape of biometric privacy law.
"Companies Must Be Ready to Respond to Evolving Biometric Privacy Laws," by Jennifer J. Daniels and David J. Oberly was published in Bloomberg Law on December 4, 2019. Reproduced with permission from ©2019 The Bureau of National Affairs, Inc. (800-372-1033) www.bna.com.