BCLPemerging.com
U.S. biometric laws & pending legislation tracker
Jun 02, 2023The enactment of biometric privacy laws is a growing trend across the country. Existing legislation has led to a boon of class action litigation against employers, consumer-facing businesses, and technology companies for claimed violations of biometric privacy rights. It is therefore imperative that businesses remain informed of their obligations, which are increasingly expanding and being required in new jurisdictions, as non-compliance can create significant monetary exposure.
Biometric privacy laws and regulations generally require businesses to track, inform employees or consumers of, and provide methods for employees or consumers to consent to, the collection of biometric information or biometric identifiers. BCLP has been tracking enacted biometric privacy laws and proposed legislation across the United States. Below is a high-level summary of existing laws and proposed bills introduced across the country that pertain to private sector companies’ collection or use of biometric data. Additional privacy, data-breach, industry-specific, and public-sector regulations and proposed legislation exist. Readers are thus encouraged to consult their regular Bryan Cave Leighton Paisner contact or the authors of this article for more information and guidance.
BCLP continues to monitor. Please check back here periodically for updates.
Existing Legislation
Biometric Information Privacy Act (“BIPA”)
740 ILCS 14/1 et seq.
Depending on whether a private entity is possessing, capturing, collecting, otherwise obtaining, or disclosing biometric information or biometric identifiers, requires: (1) a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information; (2) compliance with that policy; (3) protection of the biometric information using the reasonable standard of care within the industry or in a manner as protective as the entity protects other confidential and sensitive information; (4) informing the subject whose biometric information is to be collected of the specific purposes and length of term for which biometric information is being collected, stored, or used; and (5) receiving a written release from the individual to proceed with the collection or disclosure of the biometric information. Provides for recovery of liquidated statutory damages or actual damages, and attorneys’ fees and expenses. (But see Proposed Legislation).
Labor and Employment Code § 3-717
Prohibits employers from using facial recognition service for purpose of creating a facial template during applicant interview for employment, unless applicant consents.
N.Y. LAB. LAW § 201-aA
Prohibits employers from requiring a fingerprint from employees, as a condition of securing employment or of continuing employment, unless as provided by other laws. (See also New York State Department of Labor RO-10-0024 for opinion on use of a biometric device in a time clock).
City of New York Administrative Code, Title 22, Chapter 12.
Any “commercial establishment” that collects biometric information from “customers” must disclose the collection “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances.” Makes it unlawful to sell, lease, trade, share, exchange for anything of value, or otherwise profit from the transaction of biometric identifier information. Provides for recovery of damages to prevailing party.
Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050.
Prohibits the use of Facial Recognition Technologies in Places of Public Accommodation by Private Entities within the boundaries of the City of Portland. Provides for recovery of damages sustained as a result of the violation of $1,000 per day for each day of violation, whichever is greater.
TEX. BUS. & COM. CODE ANN. § 503.001
Requires that a person capturing a biometric identifier of an individual for a commercial purpose inform the individual before capturing the biometric identifier and receive the individual’s consent and requires protecting the data from disclosure using reasonable care and in a manner as protective as the entity protects other confidential information. Biometric identifiers must be destroyed within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the biometric identifier expires. Also prohibits a person in possession of a biometric identifier of an individual from selling, leasing, or otherwise disclosing the biometric identifier unless in certain circumstances. Provides for a civil penalty of no more than $25,000 for each violation, enforceable by the Texas Attorney General.
WASH. REV. CODE §§ 19.375.010 et seq.
Provides that a person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. Provides for enforcement by the Texas Attorney General under the Washington Consumer Protection Act.
My Health My Data Act (effective March 31, 2024)
“Biometric data” included in the broad definition of “consumer health data.”
Proposed Legislation
2023 AZ S.B. 1238
[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.
2023 CT S.B. 730
[Similar to NYC Ordinance] Would require that any entity using facial recognition technology to identify customers and guests in a public space post a clear disclosure of such use.
2023 HI H.B. 1085
[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.
2023 IL H.B. 1230
Would amend the BIPA to provide to carve out application to health care employers who biometric information or biometric identifiers for employment, human resources, compliance, payroll, identification, authentication, safety, security, or fraud prevention purposes.
2023 IL S.B. 1511
2023 IL H.B. 2259
2023 IL H.B. 4102
Would amend the BIPA to allow collection of biometric information for a "security purpose" (preventing theft, fraud, trespass, controlling access to property).
2023 IL S.B. 1506
2023 IL H.B. 2335
Would amend the BIPA to exclude information converted to a mathematical representation from definition of “biometric identifier” (or devices that so convert a person’s biometric identifier or information to a mathematical representation). Would also clarify that if biometric identifier or information is captured for same repeated process, obtaining informed consent is only required at initial collection. Would also not require consent if information collected for “security purpose.” Would also amend the Workers' Compensation Act to state that it does not preempt an employee’s BIPA claim.
2023 IL H.B. 3199
2023 IL H.B. 2252
Would amend the BIPA to exclude information “that cannot be used to create the original biometric identifier” from definition of “biometric information.” Would also change term “written release” to “written consent” and clarify that consent can be obtained electronically. Would also provide for 1-year statute of limitations and 30 day notice period/opportunity to cure for violations. Would eliminate statutory damages. Would also clarify that BIPA does not apply to private entity whose employees are covered by collective bargaining agreement that provides for different policies regarding biometric information.
2023 IL H.B. 3204
Would amend the BIPA to provide for 1-year statute of limitations.
2023 IL H.B. 3811
Would amend the BIPA to provide for a single damages recovery (rather than “per scan”), but increase potential liquidated statutory damages to $1500 per person.
2023 KY S.B. 239
2023 KY H.B. 483
[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. Also provides for Attorney General enforcement.
Act to Give Consumers Control Over Sensitive Personal Data
2023 ME H.P. 1094
[Similar to Illinois BIPA + Consumer Privacy statutes] Would require a private entity in possession of non-employees’ biometric identifiers information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying non-employees’ biometric identifiers. Would also require affirmative written consent prior to collection or disclosure of biometric identifier. Would require, upon request, disclosure of certain information to individual whose biometric information is collected or possessed. Would also grant right to request destruction of biometric identifiers. Would prohibit private entity from retaining a biometric identifier of employee for purpose of employee tracking. Would also prohibit discrimination based on refusal to provide affirmative written consent to providing biometric identifier. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. Also provides for Attorney General enforcement.
2023 MD S.B. 169
2023 MD H.B. 33
Would require a private entity in possession of non-employees’ biometric identifiers information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying non-employees’ biometric identifiers. Would also require affirmative written consent prior to collection or disclosure of biometric identifier. Would require, upon request, disclosure of certain information to individual whose biometric information is collected or possessed. Would also grant right to request destruction of biometric identifiers. Would prohibit private entity from retaining a biometric identifier of employee for purpose of employee tracking. Would also prohibit discrimination based on refusal to provide affirmative written consent to providing biometric identifier. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. Also provides for Attorney General enforcement.
Biometric Information Privacy Act
2023 MA S.B. 195
[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for Attorney General enforcement or private right of action to recover statutory damages of at least $5,000 per violation or actual damages, whichever is greater.
2023 MA H.D. 3053
2023 MA H.B. 63
Would require a “covered entity” or “data processor” to obtain informed, handwritten/non-electronic consent to collection and processing of biometric information for a specific purpose, excluding monetization. Would also require having a “Biometric Privacy Policy.” Would also impose annual reporting and data security requirements.
2023 MN S.F. 954
2023 MN H.F. 2532
[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.
Biometric Information Privacy Act
2023 MO H.B. 1047
2023 MO H.B. 1225
Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Would prohibit conditioning provision of goods or services on collection, use, disclosure of a biometric identifier unless “strictly necessary” to provide the good or service. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.
Genetic Information Privacy Act
2023 MT S.B. 351
Would require that “genetic data of Montana residents or biometric data collected in the state” be stored “within the territorial boundaries of the United States.” “Biometric data” is not defined. Violations subject to Attorney General enforcement.
2023 NV S.B. 370
[Similar to Illinois BIPA] Would require a private entity in possession of a biometric identifier to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers. Violation would be “deceptive trade practice” subject to Deceptive Trade Practices Act.
2022 NJ S.B. 3499
Would prohibit use of facial recognition technology on consumer at any retail location or “place of public accommodation,” except for a “legitimate safety purpose.” Violation would be an “unlawful practice” under Consumer Fraud Act punishable by monetary penalty. Violations also subject to Attorney General enforcement and assessment of punitive and treble damages.
Biometric Privacy Act
2023 NY A.B 1362
2023 NY S.B. 4457
[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.
2023 NY S.B. 2390
Would prohibit a private entity from using biometric identifiers or biometric information for any advertising or marketing activity intended to be used to influence business volume, sales, or market share, or to evaluate effectiveness of marketing practices or personnel.
2023 NY A.B. 7625
Would prohibit use of “biometric surveillance system” in place of public accommodation. Would also require informed written consent prior to collection of biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater.
Biometric Identifier Signage Act
2023 PA H.B. 926
[Similar to NYC Ordinance] Would require any “commercial establishment” (retail store, restaurant, hotel, motel, place of entertainment) that collects, retains, converts, stores, or shares biometric identifier information of customers to post a clear and conspicuous notice disclosing use of the technology. Would prohibit the sale, trade, sharing, or profiting from transactions of biometric identifier information. Violations subject to private right of action to recover statutory damages.
Consumer Biometric Data Protection Act
2023 TN S.B. 339
2023 TN H.B. 932
[Similar to Illinois BIPA] Would require a private entity in possession of biometric identifiers or biometric information to develop a written policy, and establish a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Would also require informed written consent prior to collection of biometric identifiers or biometric information. Provides for recovery of liquidated statutory damages or actual damages, whichever is greater. Violation would be “unfair or deceptive act or practice” subject to penalties under Consumer Protection Act of 1977.
2023 TX H.B. 4849
[Similar to NYC Ordinance] Would require a business using facial recognition technology for purpose of identifying a customer or guest in a space generally accessible to the public to post a clear and conspicuous notice disclosing use of the technology.
Biometric Data Privacy Act of 2023
2023 TX H.B. 4705
Would amend the Business and Commerce to add requirement that consent to collection of biometric identifier or biometric information be in writing. Would also add private right of action for violation.
Stop Spying Bosses Act
2023 S.262
Would require an employer to disclose any workplace surveillance conducted on a “covered individual” in a “conspicuous, freely accessible, and readily available” manner.
Related Practice Areas
-
Data Privacy & Security
