U.S. states follow BIPA with biometric data privacy proposals
Florida’s House of Representatives has passed a bill to establish a data privacy bill in the state with a right of private action, by a 103-8 vote, the Ormond Beach Observer reports.
If passed by the Senate and signed into law, HB 9 would require companies that have over $50 million in annual revenue or handle the data of 50,000 people to provide notice to consumers about their practices when collecting their personal data.
The bill does not specifically refer to biometrics, but the Associated Industries of Florida warned that it could bring in major compliance, operation, and litigation costs for companies in the state.
Similar legislation proposed in Maryland could further complicate the compliance landscape for biometrics use in the U.S., writes David Oberly, who recently joined Squire Patton Boggs, for Law360 (subscription required).
Kentucky’s HB 32 and Maryland’s HB 259, also known as the Maryland Biometric Identifiers Privacy Act, each specifically target biometrics, and Oberly notes that Maryland has made multiple attempts in previous sessions to pass legislation modeled on the country’s most impactful biometrics regulation, Illinois’ Biometric Information Privacy Act (BIPA).
Each proposal includes informed consent requirements, retention rules, restrictions against selling or sharing biometric data, and crucially, a right of private action.
The Maryland legislation was cross-filed with SB 335. The Kentucky proposal, however, was withdrawn on February 28, leaving its future in doubt.
A guide to biometrics regulations around the world produced by law firm Eversheds Sutherland shows the gradual creep of laws restricting and placing conditions on the use of the technology.
The ‘Global Biometrics Guide 2022’ covers BIPA (more on that below), as well as reviewing the regulatory conditions for biometrics in the UK and the EU, Asia and the Middle East.
BIPA limitations, exemptions weighed
The Illinois Supreme Court rejected an appeal from BIPA plaintiff Ring Container Technologies, which sought to limit the scope of the class action against it, writes the Cook County Record.
The statute of limitations for the BIPA suit, alleging informed consent-related violations by an employee time and attendance system, like so many other cases brought under the law, should be limited to two years based on workers compensation rules, rather than the five year limit that has been applied in other cases.
Ring Container appealed to the State Supreme Court to hear its case before the similar Tims v Black Horse Carriers statute of limitations question, on grounds that its case includes multiple potential statutes of limitations, as opposed to the sole limitation in question in the latter case. The court declined to hear the appeal, however, with no dissent and no explanation.
A lawsuit against Point-of-sale system vendor Signature Systems over alleged violations of Illinois biometric data privacy law will be heard in U.S. District Court, Bloomberg Law reports, after it was approved by the judge.
Judge Mary M. Rowland of the Northern District of Illinois denied a motion to dismiss the case, ruling that plaintiff Ronesha Smith satisfied the requirements to claim violations under the BIPA.
The defendant allegedly violated BIPA by failing to publish a data retention and destruction policy and also to obtain written consent before the plaintiff’s fingerprint biometrics were scanned by one of its PoS systems.
The federal Health Insurance Portability and Accountability Act of 1996 does not exempt hospitals and other healthcare providers from BIPA, an appeals panel has ruled, according to a separate Cook County Record report.
A pair of nearly-identical appeals from a handful of healthcare organizations were rejected by the First District Appellate Court, which found that BIPA’s language makes clear that only patient data already protected under HIPAA is excluded.
Labor agreement can trump BIPA, however, as an appeals panel granted a motion dismissing a class action brought by union members. Under the federal Labor Management Relations Act, collective bargaining agreements pre-empt BIPA, the Seventh Circuit panel found, according to the Cook County Record.
Meanwhile Macy’s has appealed a denial of its motion to dismiss its inclusion in a biometric data privacy case against Clearview AI. Law Street writes that the retailer argues the same logic could be applied to pull any of Clearview’s hundreds of other possible customers into the lawsuit as defendants. The company also argues that the consideration of BIPA cases with those filed under New York and California statutes could cause jurisdictional conflict.