The State of Proposed Biometrics Laws

Ballard Spahr LLP
Contact

Ballard Spahr LLP

2021 has so far been a year of conflicting impulses in biometrics law: two proposed bills in New York and Maryland would impose substantial new requirements on private entities, but in Illinois a proposed amendment would reign in that state’s existing Biometric Information Privacy Act (BIPA).BIPA is currently the only state statute that provides a private right of action for individuals when a private entity improperly collects, stores, or discloses their biometrics. (Portland, Oregon recently enacted an ordinance prohibiting private entities from using facial recognition in places of public accommodation, and providing a private right of action for enforcement.) Since it was enacted in 2008 BIPA has become the touchstone of biometrics litigation, but its effects have largely been felt only by companies doing business in Illinois.

On January 6, 2021, A27/S1933, the Biometric Privacy Act, was introduced in New York and referred to committee. Soon after, on January 13, HB218/SB16, the Biometric Identifiers and Biometric Information Privacy Act, was introduced in Maryland. HB218 was quickly withdrawn by its sponsor in the state house, but SB16 remains in committee in the state senate.

Both proposed state bills mirror BIPA in nearly all respects. Like BIPA, each would impose various requirements on private entities with respect to “biometric identifiers” and “biometric information,” and create a private cause of action awarding liquidated damages for any violation, and attorneys’ fees. As multiple defendants in BIPA class-actions could attest, such legislation if enacted could lead to waves of new litigation with the potential for astronomical damages figures for any companies who do not come into compliance.

While New York’s proposed law is substantially a copy of BIPA, Maryland’s differs in three key respects. First, BIPA only covers a narrow class of biometrics: retina, iris, hand, and facial scans, and finger and voiceprints, subject to various exclusions. SB16, however, proposes to broadly cover any “unique biological characteristic that can be used to uniquely authenticate the individual’s identity,” including genetic information (subject to the same exclusions set forth in BIPA). SB16, then, could broaden the frontiers of biometric privacy liability to new classes of companies—including DNA genealogy services. Second, while each bill, like BIPA, would require companies to develop, publish, and comply with a biometric data retention and destruction policy, SB 16 would not require publication of purely internal or employee-related policies. Finally, unlike BIPA and New York’s bill, SB16 would not impose any requirements for the initial collection of biometrics—just on their later use and storage.

Both bills envision a relatively short compliance period—A27/S1933 would become effective 90 days after enactment, and SB16 would take effect on January 1, 2022.

Comparison of New York and Maryland proposed bills with BIPA (differences in blue)

--> Scroll to see full table data
  NY A27/S1933 MD SB16 IL BIPA
Definition of biometric identifier A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry; subject to various exclusions. Data of an individual generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individual’s identity; subject to various exclusions. A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry; subject to various exclusions.
Definition of biometric information Information based on an individual’s biometric identifier used to identify an individual; does not include information derived from items or procedures excluded under definition of biometric identifiers. Information based on an individual’s biometric identifier used to identify an individual; does not include information derived from items or procedures excluded under definition of biometric identifiers. Information based on an individual’s biometric identifier used to identify an individual; does not include information derived from items or procedures excluded under definition of biometric identifiers.
Applicability Private entities (any individual, partnership, corporation, limited liability company, association, or other group, however organized). Private entities (any individual, partnership, corporation, limited liability company, association, or other group, however organized). Private entities (any individual, partnership, corporation, limited liability company, association, or other group, however organized).
Obligations (1) Develop, publish, and comply with a retention and destruction policy.

 

(2) Informed consent prior to collection

(3) Restriction on trade

(4) Informed consent prior to disclosure

(5) Protection of data

(1) Develop, publish, and comply with a retention and destruction policy; but publication is not required for policies limited to employees or internal operations.

 

(2) No collection requirement

(3) Restriction on trade

(4) Informed consent prior to disclosure

(5) Protection of data

(1) Develop, publish, and comply with a retention and destruction policy.

 

(2) Informed consent prior to collection

(3) Restriction on trade

(4) Informed consent prior to disclosure

(5) Protection of data

Private Cause of Action Yes Yes Yes
Damages/Penalties $1K/$5K, or actual damages per negligent/intentional or reckless violation; plus attorneys’ fees $1K/$5K, or actual damages per negligent/intentional or reckless violation; plus attorneys’ fees $1K/$5K, or actual damages per negligent/intentional or reckless violation; plus attorneys’ fees
--> Scroll to see full table data

The impetus for the proposed bills in New York and Maryland stands in contrast to the misgivings expressed by at least some delegates to the Illinois General Assembly. On February 2, 2021, HB559 was introduced as an amendment to substantially limit the scope of BIPA. The amendment was recently re-referred to committee on April 23. Among other things, HB559 would require a new 30-day notice and cure period prior to filing suit, and would allow companies who timely cure to cut off all liability for past BIPA violations. The amendment would also limit damages to the amount of actual damages, and shorten the statute of limitations from five years to one.

Like other prior proposed bills and BIPA amendments these proposed laws may die in committee, but biometrics law continues to be a dynamic area subject to potentially significant change.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.