State Biometric Privacy Legislation: What You Need to Know
Privacy & Cybersecurity Update
Date: September 05, 2019
The regulations are coming, the regulations are coming! More and more states have attempted to regulate biometric data in the general business, employer and consumer contexts. During recent years, several have either enacted or proposed laws that (either directly or indirectly) regulate the collection, storage and use of an individual’s biometric data, and as new and useful biometric-related technologies become easily accessible to businesses, these laws can create enormous liability. Employers sensibly using fingerprints or other biometric identifiers to validate employee attendance or secure sensitive facilities, for example, have found themselves in the crosshairs of costly and burdensome class action litigation.
What Is Biometric Data?
Simply put, biometric data consists of the identifying characteristics of a person’s body or mind and is separated into two categories: physiological and behavioral. Physiological biometrics pertain to the body and include DNA, retinal scans, fingerprints or other characteristics such as the shape of a person’s hand or face or the sound of their voice. Behavioral biometrics encompass a person’s specific movements and actions or even thought patterns.
Illinois was the first state to regulate the collection, use and disclosure of biometric data in its own unique and discrete context when it enacted its Biometric Information Privacy Act (BIPA) in 2008. Multiple states have utilized BIPA as a model for biometric protections.
BIPA requires any private entity that possesses biometric information or identifiers to develop and make publicly available a written policy that includes a retention schedule and guidelines for permanently destroying the information when the initial purpose for collecting or obtaining it has been satisfied or within three years of the individual’s last interaction with the entity (whichever occurs first). Furthermore, a private entity may not capture or collect biometric information unless it provides the individual with a written statement detailing the specific purpose and retention period for the collected biometric data and obtains a written release from the individual, and BIPA sets forth similar restrictions on a private entity’s ability to disclose such information. It is important to note that BIPA grants aggrieved individuals a private right of action to sue for a mere violation of the law’s requirements even if the individual does not suffer actual injury. In January 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. held that an individual need not suffer actual harm to gain standing to sue under BIPA. Although the Illinois legislature is considering an amendment that would remove BIPA’s private right of action, it has yet to adopt any such change.
In 2009, Texas enacted its own biometric privacy act, which prohibits the capture of an individual’s biometric identifiers for a commercial purpose unless the individual is first informed and consents. Texas law also limits the sale or disclosure of an individual’s biometric identifiers except under limited circumstances.
Washington enacted biometric privacy protections in 2017 that prohibit any company or individual from entering biometric data into a database without providing notice, gaining consent and providing a mechanism for preventing the subsequent use of the biometric data for a commercial purpose.
Recently Enacted Legislation
Several states have recently enacted new protections for biometric data. For example, Arkansas, California, Washington and New York amended their existing state laws to include biometric data in the definition of personal information (PI), and by doing so have extended existing protections to biometric data.
Effective August 9, 2019, Arkansas amended the definition of covered PI within its data breach response law to include biometric data, such as an individual’s voiceprint, handprint, fingerprint, DNA, retinal/iris scan, hand geometry, faceprint or any other unique biological characteristic, if the characteristic is used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or an account. Under Arkansas law, businesses and individuals that acquire, own or license PI, including biometric data, are required to implement and maintain reasonable and appropriate security practices to protect the data from unauthorized access or disclosure. In the event of a data breach, businesses and individuals are now required to disclose a breach of PI to affected individuals and, if it affects more than 1,000 persons, to the attorney general.
In 2018, California passed the California Consumer Privacy Act (CCPA), which expanded its existing privacy and information security regulatory framework to cover biometric data. Specifically, California’s definition of PI now includes biometric data, which the CCPA broadly defines to include physiological, biological and behavioral characteristics. Although the CCPA is not effective until January 1, 2020, businesses should proactively evaluate its impact on their operations.
Like Arkansas, Washington recently amended its existing data breach response law, which is distinct from its 2017 biometric privacy law, by including biometric data in its definition of covered PI. In particular, biometric data refers to information generated by the automatic measurement of an individual’s biological characteristic such as a fingerprint, voiceprint, retina, iris, or other unique biological pattern or characteristic used to identify a specific individual. By incorporating biometric data into its existing regulatory framework, Washington now requires that individuals, among others, be notified if an entity that stores biometric data experiences a data breach.
Effective in February 2020, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act revises the existing definition of covered PI to now include biometric information, such as a fingerprint, voiceprint, retina or iris image, or other unique physical or digital representation of biometric data, which is used to authenticate or ascertain the individual’s identity. The SHIELD Act requires notification when there is unauthorized access to a New York resident’s information. Furthermore, businesses that maintain New York residents’ PI must include protections for biometric data when developing and implementing reasonable safeguards as required by the act.
It is important to note that several states already include biometric data in the definition of PI for the purposes of data breach notification.
Potential New Regulations
In recent years, Delaware, Alaska, Florida, Arizona, Hawaii, Oregon, Massachusetts, New Hampshire, New Jersey and Rhode Island have introduced legislation that would provide protections for biometric data. Although these proposals have not yet been enacted, this demonstrates the trend among states to provide protections and regulate the collection of biometric data.
As more states seek to regulate and protect biometric data, companies that collect, use and store biometric data or are contemplating doing so should consider creating and implementing policies and procedures that incorporate the appropriate security, notice and consent requirements, even if they are not currently required to do so by law.
FOR MORE INFORMATION
For more information, please contact:
Thomas F. Zych
Steven G. Stransky
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.
© 2019 THOMPSON HINE LLP. ALL RIGHTS RESERVED.