Skip Repeated Content

The enactment of biometric privacy laws is a growing trend across the country. Existing legislation has led to a boon of class action litigation against employers, consumer-facing business, and technology companies for claimed violations of biometric privacy rights. It is therefore imperative that businesses remain informed of their obligations, which are increasingly expanding and being required in new jurisdictions, as non-compliance can create significant monetary exposure.

Biometric privacy laws and regulations generally require businesses to track, inform employees or consumers of, and provide methods for employees or consumers to consent to, the collection of biometric information or biometric identifiers. BCLP has been tracking enacted biometric privacy laws and proposed legislation across the United States. Below is a high-level summary of existing laws and proposed bills introduced across the country that pertain to private sector companies’ collection or use of biometric data. Additional privacy, data-breach, industry-specific, and public-sector regulations and proposed legislation exist. Readers are thus encouraged to consult their regular Bryan Cave Leighton Paisner contact or the authors of this article for more information and guidance.

BCLP continues to monitor. Please check back here periodically for updates.

 

 U.S. Biometric Laws and Bills by State

 Existing Laws

State

Statute

Details

Arkansas

Personal Information Protection Act (“PIPA”)

ARK. CODE. ANN. §§ 4-110-101 et seq.

Requires a business to take all reasonable steps to destroy or arrange for the destruction of a customer’s records containing personal information (which includes “biometric data”) and implementation and maintenance of reasonable security procedures and practices. Provides for enforcement by the Arkansas Attorney General.

California

California Consumer Privacy Act (“CCPA”)

Comprehensive data privacy statute that includes obligation to make certain disclosures regarding collection of biometric data. More information on the CCPA can be found here.

Colorado

Consumer Protection Act

COLO. REV. STAT. ANN. §§ 6-1-713, 6-1-713.5.

A covered entity that maintains, owns, or licenses personal identifying information (including biometric information) must develop and implement a written plan for the disposal of such information and must implement and maintain reasonable security procedures and practices.

Illinois

Biometric Information Privacy Act (“BIPA”)

740 ILCS 14/1 et seq.

BIOMETRIC SPECIFIC. Depending on whether a private entity is possessing, capturing, collecting, otherwise obtaining, or disclosing biometric information or biometric identifiers, requires: (1) a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information; (2) compliance with that policy; (3) protection of the biometric information using the reasonable standard of care within the industry or in a manner as protective as the entity protects other confidential and sensitive information; (4) informing the subject whose biometric information is to be collected of the specific purposes and length of term for which biometric information is being collected, stored, or used; and (5) receiving a written release from the individual to proceed with the collection or disclosure of the biometric information. Provides for recovery of liquidated statutory damages or actual damages, and attorneys’ fees and expenses. (But see Proposed Legislation below).

Maryland

Personal Information Protection Act

MD. CODE ANN., COM. LAW §§ 14-3501 et seq.

Requires a business to take reasonable steps to protect against unauthorized access to or use of personal information (including biometric data), including requiring in contracts with certain nonaffiliated third party service providers that the service provider will implement and maintain reasonable security procedures and practices.

New York

Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”)

Comprehensive data security statute that applies to biometric information. More information on the SHIELD Act can be found here.

New York

N.Y. LAB. LAW § 201-a.

BIOMETRIC SPECIFIC. Prohibits employers from requiring a fingerprint from employees, as a condition of securing employment or of continuing employment, unless as provided by other laws. (See also New York State Department of Labor RO-10-0024 for opinion on use of a biometric device in a time clock).

New York

City of New York Administrative Code, Title 22, Chapter 12.

BIOMETRIC SPECIFIC. Any “commercial establishment” that collects biometric information from “customers” must disclose the collection “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances.” Makes it unlawful to sell, lease, trade, share, exchange for anything of value, or otherwise profit from the transaction of biometric identifier information.

Oregon

Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050. 

BIOMETRIC SPECIFIC. Prohibits the use of Facial Recognition Technologies in Places of Public Accommodation by Private Entities within the boundaries of the City of Portland. Provides for recovery of damages sustained as a result of the violation of $1,000 per day for each day of violation, whichever is greater.

Texas

TEX. BUS. & COM. CODE ANN. § 503.001

BIOMETRIC SPECIFIC. Requires that a person capturing a biometric identifier of an individual for a commercial purpose inform the individual before capturing the biometric identifier and receive the individual’s consent and requires protecting the data from disclosure using reasonable care and in a manner as protective as the entity protects other confidential information. Biometric identifiers must be destroyed within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the biometric identifier expires. Also prohibits a person in possession of a biometric identifier of an individual from selling, leasing, or otherwise disclosing the biometric identifier unless in certain circumstances. Provides for a civil penalty of no more than $25,000 for each violation, enforceable by the Texas Attorney General.

Virginia

Virginia Consumer Data Protection Act

 

Comprehensive data privacy statute that includes obligation to obtain consent prior to collection or use of biometric data.  Provides for civil penalties of up to $7,500 per violation, enforceable by the Virginia Attorney General. (Effective date January 1, 2023).

Washington

WASH. REV. CODE §§ 19.375.010 et seq.

BIOMETRIC SPECIFIC. Provides that a person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. Provides for enforcement by the Texas Attorney General under the Washington Consumer Protection Act.

 

Proposed Legislation

State

Legislation

Information

Alabama

Consumer Privacy Act
AL H.B. 216

Would require a business to make certain disclosures regarding what information it collects and has collected, and the purposes for which that information is used.

Alaska

Consumer Data Privacy Act

2021 AK H.B. 159

2021 AK S.B. 116

Would require a business that collects personal information from a consumer to notify the consumer before collecting the information.

Arizona

AZ H.B. 2729

Would amend a law that prohibits collection of personally identifiable data using certain strategies such as malware, keystroke logging and similar practices by changing the definition of "sensitive information" to include biometric information.

Arizona

AZ H.B. 2865

Would allow consumers to opt out of their personal data being sold to a third party.

Colorado

2021 CO H.B. 1244

BIOMETRIC SPECIFIC. Would require an entity that targets products or services to people in Colorado that collects, stores, or uses biometric identifiers of a Colorado consumer to provide the consumer with information about the biometric identifiers collected, obtain consent, and provide a right to revoke consent at any time.

Colorado

Colorado Privacy Act

2021 CO S.B. 190

Would give consumers the right to: (1) request disclosure of the information that a business collects about the consumer, including biometric information; (2) request deletion of such information; and (3) opt out of the sale of such information.

Connecticut

2020 CT S.B. 134

Would give consumers the right to: (1) request disclosure of the information that a business collects about the consumer, including biometric information; (2) request deletion of such information; and (3) opt out of the sale of such information.

Connecticut

Consumer Privacy Act
2021 CT S.B. 893

Would establish a framework for controlling and processing personal data, responsibilities and privacy protection standards for data controllers and processors, and grant consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data for the purposes of targeted advertising.

Hawaii

HW H.B. 2572

Would amend the requirements for handling consumer personal information for the purposes of security.

Illinois

2021 IL H.B. 3414

BIOMETRIC SPECIFIC. Would amend the BIPA by eliminating the “for each violation” language relating to recoverable damages and providing that the BIPA would not apply in the employment context.

Illinois

2021 IL H.B. 3304
2021 IL S.B. 2039

BIOMETRIC SPECIFIC. Would repeal the BIPA in its entirety.

Illinois

2021 IL H.B. 3112

BIOMETRIC SPECIFIC. Would amend the BIPA by excluding timekeeping systems used by employers, making the BIPA solely enforceable by Illinois Attorney General, requiring a plaintiff to show actual harm, allowing for recovery of damages only for “initial violation,” and reducing amount of liquidated damages recoverable.

Illinois

2021 IL S.B. 300
2021 IL H.B. 559

BIOMETRIC SPECIFIC. Would amend the BIPA by excluding from the definition of “biometric information” any “information that cannot be used to recreate original identifier,” eliminating the public policy requirement, allowing for a cure period, and allowing only for recovery of actual damages.

Illinois

2021 IL H.B. 1764

BIOMETRIC SPECIFIC. Would amend the BIPA by giving the Illinois Attorney General sole power to enforce BIPA in instances of actual harm and exempt employers.

Illinois

2021 IL H.B. 560

BIOMETRIC SPECIFIC. Would amend the BIPA by eliminating the “right of action” section and replacing with Department of Labor enforcement.

Illinois

2021 IL S.B. 602

BIOMETRIC SPECIFIC. Would amend the BPIA by excluding “information captured and converted to a mathematical representation” from the BIPA’s definition of “biometric identifiers” and excluding “biometric time clocks” and “biometric locks” from the BIPA’s purview.

Illinois

2021 IL S.B. 1607

BIOMETRIC SPECIFIC. Would amend the BIPA by exempting from the BIPA’s purview employers who collect, capture, obtain, or otherwise use biometric information or biometric information for recording employee work hours, security purposes, facility access, or human resources purposes.

Illinois

Consumer Privacy Act
2021 IL H.B. 3910

Would require a business to, at or before the point of collection, inform a consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.

Kentucky

2021 KY S.B. 278
2021 KY S.B. 280

BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.

Florida

Privacy Protection Act
2021 FL S.B. 1734

Would allow consumers to opt out of their personal data being sold to a third party.

Maryland

Biometric Identifiers and Biometric Information Privacy Act
MD H.B. 218
MD S.B. 16

BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.

Maryland

Online Consumer Protection Act
MD S.B. 930

Would require a business that collects a consumer’s personal information, at or before the point of collection, to clearly and conspicuously provide notice to the consumer regarding the collection, use, and disclosure of the information collected. Would also give the consumer a right to request a copy or deletion of his/her personal information and to opt out of their personal data being sold to a third party.

Massachusetts

Information Privacy Act
2021 S.D. 46

2021 H.B. 142

Would require certain businesses to solely share an individual’s personal information with third-party entities that will agree to provide the same duties of care, loyalty, and confidentiality imposed by this Act.

Massachusetts

Biometric Information Privacy Act
2021 S.D. 269

2021 S.B. 220

BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.

Minnesota

Consumer Data Privacy Act
2021 MN S.F. 1408
2021 MN H.F. 1492
2021 MN H.F. 36

Would establish a framework for controlling and processing personal data, responsibilities and privacy protection standards for data controllers and processors, and grant consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data for the purposes of targeted advertising.

Montana

Online Personal Information Protection Act

2021 MT H.B. 710

Would require any business that owns a website or an online service that collections and maintains biometric information to post a privacy policy on its website.

New Jersey

N.J. A.B. 3625

BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.

New York

Biometric Privacy Act
2021 NY A.B. 27

2021 NY S.B. 1933

BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.

New York

Privacy Act 2021 NY A.B. 680

Would prohibit the use, processing, or transfer of personal data of consumers (including biometric information) unless the consumer process express and documented consent. Would also require companies to disclose their methods of de-identifying personal data, place special safeguards around data sharing, and allow consumers to obtain the names of all entities with whom their information is shared. Also creates a special account to fund a new office of privacy and data protection.

New York

2021 NY A.B. 488

BIOMETRIC SPECIFIC. Would prohibit biometric data from being used for marketing purposes.

New York

2021 NY S.B. 567
2021 NY A.B. 3709

Would provide consumers the right to request info about biometric data collected. Would allow consumers to opt out of their personal data being sold to a third party and prohibit discrimination against individuals who directs that their personal information not be sold. Requires that there be a clear and conspicuous link on the business’s website titled “Do Not Sell My Biometric Information.” Provides for statutory or actual damages.

New York

It's Your Data Act
2021 NY A.B. 3586
2021 NY S.B. 4021
2019 NY S.B. 9073

Would classify as a misdemeanor the failure to obtain written consent before collecting, storing, or using biometric data. Would also provide for recovery of actual damages. Would also require a business that collects a consumer’s personal information to disclose certain information in an online privacy policy.

New York

Digital Fairness Act
2021 NY A.B. 6042

Would require a covered entity in possession of biometric information to develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information. Would also require a covered entity to obtain informed written consent prior to the collection, capture, purchase, or receipt through trade of an individual’s biometric information.  Would provide for liquidated damages of $10,000 or actual damages, whichever is greater.

New York

2021 NY S.B. 5879

Would prohibit any private entity from using biometric identifiers or biometric information for any advertising, marketing, promotion, or other activity that is intended to be used to influence business volume, sales, or market share or to evaluate the effectiveness of marketing practices or personnel.

North Carolina

Consumer Privacy Act

2021 NC S.B. 569

Would establish a framework for controlling and processing personal data, responsibilities and privacy protection standards for data controllers and processors, and grant consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data for the purposes of targeted advertising.

Oklahoma

Computer Data Privacy Act
2021 OK H.B. 1602

Would require an entity collecting personal information to obtain informed written consent. Would allow consumers to opt out of their personal data being sold to a third party and prohibit discrimination against individuals who choose to have their information deleted.

Oklahoma

2021 OK H.B. 1130

Would require any business or website that operates an online business or website that collects a consumer’s personal digital information or data to, before the point of collection, conspicuously post on its website homepage information regarding the information to be collected or disclosed.  Provides for civil monetary penalties and Oklahoma Attorney General enforcement.

Pennsylvania

Consumer Data Privacy Act

2021 PA H.B. 1126

Would provide consumers the right to request info about biometric information collected. Would allow consumers to opt out of their personal data being sold to a third party and prohibit discrimination against individuals who exercise rights under the statute. Requires that there be a clear and conspicuous link on the business’s website titled “Do Not Sell My Biometric Information.” Provides for statutory or actual damages.

South Carolina

Biometric Data Privacy Act
S.C. H.B. 4812
S.C. H.B. 3063

BIOMETRIC SPECIFIC. Would require a business that a consumer's biometric information to, at or before the point of collection, inform the consumer about the information being collected and used. Would also grant consumers the right to access, delete and obtain a copy of personal data. Requires that there be a clear and conspicuous notice with a reasonably full and complete description of the business’s practice governing the processing of personally identifying information. Provides for civil penalties.  

Texas

2021 TX H.B. 3741

Would require certain business to provide consumers the right to request info about biometric information collected. Would allow consumers to opt out of their personal data being sold to a third party and prohibit discrimination against individuals who exercise rights under the statute. Requires that there be a clear and conspicuous link on the business’s website titled “Do Not Sell My Biometric Information.” Provides for statutory or actual damages.

Texas

2021 TX S.B. 1952

BIOMETRIC SPECIFIC. Would amend the Business & Commerce Code to require a person who captures an individual’s biometric identifier for a commercial purpose to provide the individual with information on the type of technology used, the purpose or method for capturing or collecting the identifier, and the method for storing data related to the captured identifier.

Texas

2021 TX H.B. 4164

Would amend the Business & Commerce Code to require certain businesses provide consumers the right to request info about or delete biometric information collected.

Vermont

VT H.B. 75

BIOMETRIC SPECIFIC. Would prohibit use of facial or voice recognition technology unless a consumer opts in to use of the technology.  Would also require use of facial recognition technology to be disclosed on a clear, conspicuous, physical sign at the entrance of a building.

Washington

2021 WA S.B. 5104

BIOMETRIC SPECIFIC. Would prohibit operation, installation, or commissioning the operating of facial recognition technology in any place of public resort, accommodation, assemblage, or amusement.

Washington

2021 WA H.B. 1433

Would require a covered entity to make a long-form and short-form privacy policy “persistently and conspicuously” available that provides notice regarding the personal information being processed, captured, used, or disclosed. Would also grant consumers the right to access, correct, delete, and obtain a copy of personal data.

Washington

Washington Privacy Act S.B. 5062

Would prohibit a “controller” from processing “sensitive data” (including biometric information) concerning a consumer without obtaining the consumer’s consent.

West Virginia

Biometric Information Privacy Act
2021 WV H.B. 2064

BIOMETRIC SPECIFIC. Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.

 

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.