Biometric data collection regulation proposed in Arizona House
Another U.S. state is considering major new regulatory rules that would make it illegal for businesses to use biometric data for commercial purposes without consent, the Arizona Mirror reports.
House Bill 2478 is proposed by House Speaker Rusty Bowers, and sets criteria for legally enrolling an individual’s biometric data, with violations punishable by fines of up to $10,000 per violation, and eligible for lawsuits. The bill also empowers the Arizona Attorney General’s Office to investigate violations and impose penalties if necessary.
The criteria include giving notice of and receiving consent for biometric data collection, with exceptions for health care, law enforcement, and security. Security is defined in the bill to take in theft and fraud prevention, and protection of digital services and accounts. Biometrics could still be used to authenticate financial transactions, as long as it is not sold or used for other purposes. It does not limit federal or court orders for biometric data, according to the Mirror.
The original proponent of the proposed law is Kristy Gale, who is described on her website as a sports technology law pioneer, and suggested the bill to Bowers. Arizona Technology Council President and CEO Steven Zylstra said the bill seems fair, but will find out how council members perceive it. He noted that he is not aware of non-security commercial deployments of biometrics, but there could be. Zylstra also said that the proposal was not expected, and that it is an unusual case of the legislature acting to prevent something before it becomes a problem.
Electronic Frontier Foundation Senior Staff Attorney Adam Schwartz is concerned the bill does not deal with some uses of biometric data, but is generally supportive. “It is good that an Arizona legislator wants to pass a law to protect biometric privacy,” Schwartz told the Mirror. The EFF is among more than 85 groups that recently wrote to tech giants offering facial recognition technology to urge them not to provide it to the U.S. government.
Schwartz is also concerned that the bill, like the regulation in Texas, depends on the state’s attorney general for action. The Mirror reports that the bill does not make clear how it could be enforced for companies holding data outside the state, like big tech companies.
“It doesn’t have a strong enforcement mechanism,” Bowers said, “which is probably why Apple and Google are not coming at me with a lead pipe in the parking lot right now.”
Business may be relieved that the bill does not more closely resemble Illinois BIPA, after that state’s Supreme Court ruled that notice and consent violations constitute harm in and of themselves.