Maybe if federal lawmakers saw that their biometric data is endangered they’d pass a law

A noted public policy think tank scouting the landscape of data privacy law in the United States has found little to recommend beyond continuous lawsuits.

The Information Technology & Innovation Foundation has published a report and panel discussion on how much federal legislative inaction on privacy — biometric and otherwise — is going to cost businesses, and, eventually, consumers.

If each of the nation’s 50 states were to create unique regulations, the total hit to the economy could be more than $1 trillion over a decade in market inefficiencies and compliance costs, according to the foundation.

That figure accounts for out-of-state costs, or the price paid by all firms of all sizes in one state to do business in another state with unique privacy rules.

Huge round numbers like that are easy to come by (whether predicting new markets or avoidable catastrophes), even for a nonprofit that has been hailed as one of the world’s leading technology-policy research institutes.

Numbers that cannot be debated, however, describe how state and local politicians are acting on their own in terms of protecting consumers against the commercial abuse and misuse of people’s most critical information, including face, voice, finger and iris prints.

The foundation’s report states that 34 states since 2018 have passed or at least introduced 72 bills covering how businesses collect and use personal data. If, as the group says, patchwork laws are bad, it is good news that only a fraction of those bills became law.

Assuming an economy like that is feasible, it would only be so with the help of armies of attorneys and systems developers. Now-settled debates about how to collect local taxes for online purchases seem quaint in comparison.

These are “well-meaning” people trying to do right by constituents, said Caleb Williamson, a policy associate at vendor group The App Association, during the foundation-sponsored panel discussion. Confusion is creating an economic drag, said Williamson, creating a “dire need” for federal intervention.

There is an exception to every rule, and one footnote on this arrived just last week.

State lawmakers in Kentucky have introduced a bill that is being called “a carbon copy” and a “copycat” of Illinois’ Biometric Information Privacy Act.

Beyond the fact that few businesses would like to see BIPA erased much less replicated, the act is yet another example of legislative Balkanization.

In the panel talk, assembled to support the report, it was pointed out that even the scope and focus of states’ efforts vary.

As iconic as BIPA is, it narrowly targets just commercial businesses collecting biometrics — typically fingerprint and face biometrics. It also gives those who feel wronged the right to action, something not every piece of legislation offers.

While BIPA does not do this, some bills carry prohibitions against other states trying to preempt their privacy and data laws.

California, on the other hand, has its broad Consumer Privacy Act; Virginia has its comprehensive Consumer Data Protection Act; and Colorado has its encompassing Privacy Act.

What federal legislation was introduced last year is, in fact, piecemeal.

There was the Balancing the Rights of Web Surfers Equally and Responsibly Act aimed at broadband and online service providers. Another, focused on service providers, would oblige them to secure data and avoid misuse of consumer data.

Article Topics

biometric data  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  Blank Rome  |  data protection  |  ITIF  |  legislation  |  privacy  |  United States