The Illinois Supreme Court’s recent broad interpretation of the pioneering Illinois Biometric Identity Protection Act justifies close attention to legislative and regulatory developments regarding collection and protection of biometric identifier data. Our previous report of this decision may be found here. Two other states, Texas and Washington, already have biometric identifier privacy laws in place, although not with the breadth of the Illinois statute. For example, neither of those statutes provides for a private right of action that is afforded under the Illinois law. In each case, enforcement of provisions is left to the state Attorney General.
But other jurisdictions are now getting into the act. The California Consumer Privacy Act, passed last year, but which will not take effect until January 1, 2020, includes a comprehensive definition of “biometric information” as a component of protected personal information. But as currently approved, the statute’s narrow private right of action for monetary damages does not cover violations of privacy requirements for biometric information. Although the legislature declined to create a such a private right of action in making initial amendments to the Act last fall, that could be changed before the law takes effect. An amendment to do so was filed in the legislature on February 22.
Arizona is also considering biometric data legislation. House Bill 2478, unanimously approved by the House Technology Committee on February 13 and approved by a majority of the House Rules Committee on February 18, requires notice and consumer consent. However, the proposal does not include a private right of action, but provides for enforcement by the Attorney General.
On the other hand, a bill with seven co-sponsors, Int. No. 1170, is pending before the New York City Council. It requires, among other things, notification of collection of “biometric indentifier” information and provides a private right of action “against any commercial establishment that is alleged to have violated the” law.
Most significantly in light of the recent Illinois Supreme Court decision, last month four legislators in Massachusetts introduced Senate Bill 341, an “Act relative to consumer data privacy.” It covers biometric information and contains a specific private right of action that provides “a violation…shall constitute an injury in fact to the consumer who suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action” under the law.
Further, proposed legislation has been introduced in other states (New York, Alaska, Michigan and Delaware). New York SB 01203 reportedly reflects the third year the State has attempted to pass such legislation.
There is increasingly broadening attention on both the Federal and state level to protecting transparency and consent when it comes collection and use of consumer personal information. Greater use of biometric identifiers in various contexts make it seem likely that such data will be included in that definition. Any company that collects, retains or makes use of such data should pay close attention to developments relating to existing as well as future potential laws.