FB pixel

The watch is on for the next wave of US biometric data privacy lawsuits


contactless fingerprint payments

Despite the wave of litigation alleging procedural violations of biometric data privacy rules, or perhaps because of it, other states are following Illinois’ lead by enacting regulations including redress mechanisms, and in some cases a private right of action for consumers, as described in a trio of editorials from legal experts.

Pennsylvania’s proposed Consumer Data Privacy Act, and Virginia’s recently-enacted Consumer Data Protection Act, which goes into force on January 1, 2023, will each force businesses to take proactive measures to ensure their compliance , Jeffrey N. Rosenthal and Thomas F. Brier Jr. of Blank Rome write for The Legal Intelligencer.

The Pennsylvania law includes a private right of action, while Virginia’s would not, but Rosenthal and Brier suggest it could include America’s broadest definition of covered biometric data. Under each state’s law, consumers would be granted rights to be informed when their biometrics are collected, to access and delete the data, to opt out of its sale, and in Virginia to correct data. Biometric data portability rules are also included in Virginia’s Act.

Businesses are required to reasonably secure biometric data, and each Act includes disclosure rules for third-party sales or targeted advertising.

The laws apply to businesses that derive half of their revenue from personal data sales, with at least 25,000 customers in the case of Virginia, as well as all companies of a certain size.

As in California, where the Unfair Competition Law can be used to bring private action against businesses and then “borrow” violations of other statutes, like the California Consumer Privacy Act (CCPA), Pennsylvania may allow plaintiffs to sue for unfair or deceptive practices, under a similar state law, with reference to the biometrics restrictions in its proposed CDPA.

NYC rule imposes requirements on stores

Even before New York’s proposed Biometric Privacy Act reaches a vote, an amendment to Title 22 of the New York City Administrative Code creates requirements for commercial establishments using biometrics reminiscent of Illinois’ Biometric Information Privacy Act (BIPA) Jackson Lewis P.C. Associate Damon W. Silver writes for The National Law Review.

The Amendment refers to restaurants and bars, entertainment venues like theaters and stadiums, and retail stores, requiring them to post notices informing patrons of their biometrics use, and blocking them from selling or otherwise profiting from any data they collect. Consumers have the right to make complaints and have alleged violations resolved by the business within 30 days, or a right of private action is triggered.

Silver also reviews other laws recently passed or yet to be enacted which relate to data privacy, including the SHIELD Act and the Tenant Privacy Act, which covers smart access systems using biometrics.

Maryland bill has private right of action, but not informed consent requirement

Maryland’s Biometric Identifiers and Biometric Information Privacy Act is currently before both the State House and Senate, and Blank Rome’s David J. Oberly writes for Lexology that it could become the second state after New York to pass legislation modeled on BIPA.

The proposal would bring in a right of private action against companies that fail to provide privacy policies including biometric data storage guidelines and retention schedules, that sell consumer’s biometric data, that disclose or share the data without consent, and that fail to reasonably protect the data. The remedies outlined are described by Oberly as a carbon copy of BIPA.

Maryland’s bill sets out a wider definition of biometric data than BIPA, however, provides exceptions for internal company operations, and does not impose the same informed consent requirements as Illinois’ law, which is the clause alleged to have been violated in the vast majority of BIPA suits.

Oberly warns that other states and local jurisdictions could follow the trend, and provides advice for companies using biometric data to remain compliant aid the shifting legal landscape.

Maryland also cracked down on the use of biometrics-based affect recognition in job interviews last year.

Article Topics

 |   |   |   |   |   |   |   | 

Latest Biometrics News


NIST adds flexibility, digital format to security requirements for federal contractors

The U.S. National Institute of Standards and Technology has updated its guidance for how businesses working with the federal government…


Cryptomathic is Belgium’s digital wallet mobile app security provider

Tech from Cryptomathic has been deployed in Belgium’s digital identity wallet, one of the first to go live in the…


Bringing ethics into the discussion on digital identity

A panel at EIC 2024 addresses head-on a topic that lurks around the edges of many discussions of digital ID….


Kantara Initiative launches group devoted to deepfake injection attack threats

“It’s probably not as bad as this makes it seem,” says Andrew Hughes, VP of global standards for FaceTec and…


Seamfix CEO makes case for digital ID as unlocker of Africa’s growth potential

The co-founder and Chief Executive Officer of Seamfix, Chimezie Emewulu, has posited that digital identity and related services have the…


Nigeria’s digital ID authority unveils new measures to uphold data security

The National Identity Management Commission of Nigeria (NIMC) has outlined new measures that align with its push to make data…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events