Q: What states have biometric laws and what does this mean for my company?
A. Introduction: Biometric Laws in 2022
In the first quarter of 2022 alone, no fewer than seven states have introduced biometric laws — California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York — generally based on Illinois’ Biometric Information Privacy Act (BIPA). Currently, only Illinois, Texas, and Washington have enacted biometric laws, and only the Illinois law provides individuals with a private right of action. While California’s Consumer Privacy Act (CCPA) covers the protection of biometric data, the act only provides a private right of action where the information was involved in an unauthorized exposure as a result of the business’ failure to implement and maintain reasonable security procedures and the business’ failure to take certain steps after receiving a consumer request.
Legislation Introduced in 2022
California’s legislature adjourns on August 31, 2022.
Senate Bill 1189: Biometric Information. On February 17, California State Senator Bob Wieckowski (D) introduced SB1189, which would broaden the definition of biometric information to increase privacy protections for California consumers. The bill essentially mimics BIPA and would impose further obligations on companies that use biometric information. It also would provide a private right of action to consumers beyond that found in the CCPA. Its statutory damages component, however, is less stringent than BIPA, as it specifies that such damages shall be not less than $100 and not greater than $1,000 per violation, per day. While it does not separate negligent from willful offenses, it does provide for punitive damages. Most recently, the bill was referred for a hearing on April 5; on March 28, it was returned from the Senate Judiciary Committee with amendments prohibiting a private entity from conditioning the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.
Kentucky’s legislature adjourns on April 15, 2022.
House Bill 626: Biometric Identifiers. On February 28, Kentucky State Representative Josh Bray (R) introduced HB626. Also modeled after BIPA, if passed, the act would impose obligations on businesses, including obtaining consent before collecting any biometric data and employing reasonable security measures to safeguard biometric information. Unlike other states and BIPA, it would not provide for a private right of action and would be enforced by the Kentucky attorney general. It also includes a Gramm-Leach-Bliley Act exemption for covered entities. The bill was assigned to the Committee on Committees the day it was introduced, and it has not had any subsequent action since. With Kentucky’s legislature adjourning on April 15, it is unclear if this bill will survive.
Maine’s legislature adjourns on April 20, 2022.
House Bill 1945: Regulating the Use of Biometric Identifiers. On January 26, Maine State Representative Margaret O’Neil (D) and a bipartisan group of other legislators introduced HB1945. The act would allow consumers to request what biometric information is collected by a business, including the type of biometric identifier, the types of sources from which the private entity obtained the biometric identifier, and any disclosure with a third party. Unlike BIPA, the act acknowledges the role of the “processor,” i.e., a private entity that collects, processes, stores, or otherwise uses biometric identifiers on behalf of another entity. Processors are not required to comply with the act to the extent the biometric data is processed under an agreement with another private entity not affiliated through common ownership. The act includes a private right of action and the same $1,000/$5,000 statutory damages scheme as BIPA. The bill has struggled in various work sessions, with no consensus. Most recently, HB1945 received a divided report after a joint work session on March 25. With Maine’s legislature adjourning on April 20, and this bill seemingly unable to find its footing, it is unclear if it will be successful or not.
Maryland’s legislature adjourns on April 11, 2022.
House Bill 259: The Use of Biometric Data by Private Entities. On January 13, Maryland State Delegate Sara Love (D), with a bipartisan group of 10 other legislators (Delegate Robin Grammer being the sole Republican), introduced HB0259. Modeled after Illinois’ BIPA, this act also includes a private right of action. However, unlike Illinois’ BIPA, Maryland’s act also includes consumer-specific rights à la the CCPA, such as the right to deletion and the right to know what is being collected. And like the CCPA, Maryland’s act also includes a prohibition on discrimination, which means companies cannot charge different prices or rates for goods or services to individuals who exercise their rights under the act. It also includes a Gramm-Leach-Bliley Act exemption for covered entities. HB259 recently passed the House after its third reading (100-30), and is now in the Senate, where it has been referred to the Finance Committee.
Massachusetts’s legislature meets year-round; its formal session ends on July 31, 2022, and its informal session commences on August 1, 2022.
Senate Bill 2687: Protecting Personal Biometric Data. On February 14, Massachusetts’s Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity introduced SB2687. The bill would protect personal biometric data by regulating how biometric data is collected, used, sold, and destroyed. Though voted favorably in committee upon introduction, nothing else has happened with this bill since February 14. SB2687 began as SB220 in March 2021. In its initial form, it was almost solely a biometrics protection bill, imposing obligations on companies that collect and use biometric information. After a joint hearing in September 2021, SB220 was scrapped, and SB2687 took its place, becoming less a strict biometrics law and more a general law about all consumer data.
Missouri’s legislature adjourns on May 20, 2022.
House Bill 2716: Establishing the Biometric Information Privacy Act. On February 16, Missouri State Representative Doug Clemens (D) introduced HB2716. The bill would establish the state’s Biometric Information Privacy Act. The bill would require private entities in possession of biometric identifiers or information to have a written and publicly available retention schedule and guidelines for permanently destroying such identifiers and information when the initial purpose for collecting or obtaining them has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first. It would allow a private right of action and contains the common $1000/$5,000 statutory damages scheme for negligent/intentional violations. It also includes a Gramm-Leach-Bliley Act exemption for covered entities.
New York’s legislature meets year-round.
Assembly Bill A27: Establishing the Biometric Privacy Act. On January 6, 2021, New York State Assembly member Aileen Gunther (D) and a bipartisan group of 25 other legislators introduced AB27. This is the fourth time a biometric privacy bill has been introduced in New York. If passed, it would impose certain obligations on businesses, including obtaining consent before any collection of biometric data and employing reasonable security measures to safeguard biometric information. Like BIPA, it provides for liquidated damages of $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, attorneys’ fees, costs, and other relief, such as an injunction. It also contains a private right of action, and includes a Gramm-Leach-Bliley Act exemption for covered entities. AB27 lay dormant until January 2022, where it was once again referred to the Assembly’s Consumer Affairs and Protection Committee. No other action has occurred with respect to the bill. A similar bill, SB1933, was introduced by New York State Senator Patricia Ritchie (R) on January 16, 2021. It, too, has been stuck in its committee for over a year.
|Obligation||CA SB1189||KY HB626||ME HB1945||MD HB259||MA SB2687||MO HB716||NY A27|
|Deletion of biometric information||Yes, the earlier of (1) date on which the initial purpose for collecting is satisfied or (2) one year after the individual’s last intentional interaction with the private entity.||Yes, within one year, but may be maintained for a period longer than the one year if required by law. Once it is no longer required by law, it must be deleted within one year.||Yes, the earlier of (1) the date on which the initial purpose has been satisfied or (2) one year after the individual’s last intentional interaction with the private entity.||Yes, within one year after the individual’s last interaction with the private entity in possession of the biometric identifiers or within 30 days after a request from the individual.||Yes, the earlier of (1) the date on which the initial purpose has been satisfied or (2) one year after the individual’s last intentional interaction with the private entity.||Yes, when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction, whichever comes first.||Yes, the earlier of (1) date on which the initial purpose for collecting is satisfied or (2) within three years after the individual’s last intentional interaction with the private entity.|
|Written policy regarding retention policy||x||✓||✓||✓||✓||✓||✓|
|Inform consumers in writing prior to collection||✓||
does not specify in writing
|Receive a written release prior to collection||✓||
does not specify in writing
|Prohibition on sale, lease, trade, or otherwise profit without individual’s consent||✓||✓||✓||✓||✓||✓||✓|
|Private right of action||✓||X||✓||✓||✓||✓||✓|
|Available remedies||The greater of (1) statutory damages not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day; (2) actual damages; or (3) punitive damages.||Remedies provided by Kentucky’s Consumer Protection Act.||Against a private entity that negligently violates a provision of this article, liquidated damages of $1,000 or actual damages, whichever is greater, or against a private entity that intentionally or recklessly violates a provision of this article, liquidated damages of $5,000 or actual damages, whichever is higher.||Against a private entity that negligently violated a provision ($1,000) or against a private entity that intentionally or recklessly violated this title ($5,000).||Damages shall be no less than $5,000 per violation or actual damages suffered, whichever is greater, or up to three but not less than two times such amount if the court finds that the violation was a willful or knowing act.||For each violation (1) liquidated of $1,000 or actual damages or (2) liquidated damages of $5,000 or actual damages, for intentional or reckless violations.||Against a private entity that negligently violates a provision of this article, liquidated damages of $1,000 or actual damages, whichever is greater, or against a private entity that intentionally or recklessly violates a provision of this article, liquidated damages of $5,000 or actual damages, whichever is higher.|
These new biometrics bills create vast new territory for plaintiffs’ counsel looking for new avenues on which to sue businesses. These bills also indicate that state legislatures are cracking down on the collection, use, and processing of biometric information. Companies that collect and use biometric information should prepare for compliance in light of potential enactment of these laws. Troutman Pepper will continue to monitor and provide updates related to this and similar bills.
Troutman Pepper offers weekly comprehensive coverage of legislative and regulatory consumer financial services developments in privacy and data security. Subscribers receive the latest updates at the federal and state level, as well as monthly roundtable calls that go a little deeper into those developments. For more information and a free one-month trial, contact Kim Phan (firstname.lastname@example.org).