U.S. businesses using biometrics need to monitor congressional action as proposal imposes privacy obligations

Despite the unlikelihood that the National Biometric Information Privacy Act recently tabled by U.S. Senators Merkley and Sanders will pass, the breadth of legal exposure will clearly continue to trend upwards, according to an editorial by a pair of experts from Blank Rome LLP for Law360.

Blank Rome Partner Jeffrey N. Rosenthal and Associate David J. Oberly, who recently told Biometric Update in an email that they have launched a dedicated Biometric Privacy Team at the firm, write that the proposed national law is similar to the Biometric Information Privacy Act (BIPA) of Illinois, the U.S.’ most stringent and litigious state law on biometrics. The notice and consent requirements, as well as the right of private action, and mandated security measures for biometric data, are major points of agreement between the acts.

One major difference, Rosenthal and Oberly write, are that the proposed national act explicitly does away with the barriers to legal standing which have led to the dismissal of some BIPA claims. Technical violations of the rules are specifically identified as sufficient to establish standing. Another is that the federal bill includes a “right-to-know” clause, like the California Consumer Privacy Act (CCPA).

While Washington and Texas also have statutes that specifically deal with biometric privacy, it is the Illinois law that has generated almost all litigation in the area, through the private right of action. By providing the same recourse, the national act “would likely lead to a flood of bet-the-company litigation from coast to coast,” Rosenthal and Oberly write. Beyond the risk of litigation, the act would also impose significant compliance obligations on companies using biometrics, according to the analysis. Those obligations would come into effect within 60 days.

Congressional representatives, however, have not reached a consensus on whether federal privacy legislation should pre-empt state laws, or how a federal law should be enforced. Pressure to act will remain in place though, so while the act will not likely be enacted this year, the attorneys suggest that businesses using biometric data now need to stay abreast of congressional developments on this front, particularly following the upcoming election.

Companies should consider their privacy policy, notice and consent procedures, opt out policies, and data security measures, Rosenthal and Oberly conclude.

Oberly recently analyzed the court’s approval of Facebook’s $650 million class-action settlement in a BIPA suit over the use of biometrics in the social network’s face tagging feature.

Article Topics

biometric data  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  CCPA  |  commercial applications  |  data collection  |  data protection  |  legislation  |  privacy  |  United States