The watch is on for the next wave of US biometric data privacy lawsuits
Despite the wave of litigation alleging procedural violations of biometric data privacy rules, or perhaps because of it, other states are following Illinois’ lead by enacting regulations including redress mechanisms, and in some cases a private right of action for consumers, as described in a trio of editorials from legal experts.
Pennsylvania’s proposed Consumer Data Privacy Act, and Virginia’s recently-enacted Consumer Data Protection Act, which goes into force on January 1, 2023, will each force businesses to take proactive measures to ensure their compliance , Jeffrey N. Rosenthal and Thomas F. Brier Jr. of Blank Rome write for The Legal Intelligencer.
The Pennsylvania law includes a private right of action, while Virginia’s would not, but Rosenthal and Brier suggest it could include America’s broadest definition of covered biometric data. Under each state’s law, consumers would be granted rights to be informed when their biometrics are collected, to access and delete the data, to opt out of its sale, and in Virginia to correct data. Biometric data portability rules are also included in Virginia’s Act.
Businesses are required to reasonably secure biometric data, and each Act includes disclosure rules for third-party sales or targeted advertising.
The laws apply to businesses that derive half of their revenue from personal data sales, with at least 25,000 customers in the case of Virginia, as well as all companies of a certain size.
As in California, where the Unfair Competition Law can be used to bring private action against businesses and then “borrow” violations of other statutes, like the California Consumer Privacy Act (CCPA), Pennsylvania may allow plaintiffs to sue for unfair or deceptive practices, under a similar state law, with reference to the biometrics restrictions in its proposed CDPA.
NYC rule imposes requirements on stores
Even before New York’s proposed Biometric Privacy Act reaches a vote, an amendment to Title 22 of the New York City Administrative Code creates requirements for commercial establishments using biometrics reminiscent of Illinois’ Biometric Information Privacy Act (BIPA) Jackson Lewis P.C. Associate Damon W. Silver writes for The National Law Review.
The Amendment refers to restaurants and bars, entertainment venues like theaters and stadiums, and retail stores, requiring them to post notices informing patrons of their biometrics use, and blocking them from selling or otherwise profiting from any data they collect. Consumers have the right to make complaints and have alleged violations resolved by the business within 30 days, or a right of private action is triggered.
Silver also reviews other laws recently passed or yet to be enacted which relate to data privacy, including the SHIELD Act and the Tenant Privacy Act, which covers smart access systems using biometrics.
Maryland bill has private right of action, but not informed consent requirement
Maryland’s Biometric Identifiers and Biometric Information Privacy Act is currently before both the State House and Senate, and Blank Rome’s David J. Oberly writes for Lexology that it could become the second state after New York to pass legislation modeled on BIPA.
The proposal would bring in a right of private action against companies that fail to provide privacy policies including biometric data storage guidelines and retention schedules, that sell consumer’s biometric data, that disclose or share the data without consent, and that fail to reasonably protect the data. The remedies outlined are described by Oberly as a carbon copy of BIPA.
Maryland’s bill sets out a wider definition of biometric data than BIPA, however, provides exceptions for internal company operations, and does not impose the same informed consent requirements as Illinois’ law, which is the clause alleged to have been violated in the vast majority of BIPA suits.
Oberly warns that other states and local jurisdictions could follow the trend, and provides advice for companies using biometric data to remain compliant aid the shifting legal landscape.
Maryland also cracked down on the use of biometrics-based affect recognition in job interviews last year.