Maryland and Mississippi lawmakers consider biometric data protection bills

Maryland’s state legislature has introduced a biometric data privacy act, in one of several moves at the state level towards increasing data privacy regulation.

HB 33, titled ‘Commercial Law – Consumer Protection – Biometric Data Privacy’ and spotted by DataGuidance, has passed its first reading, would require private entities that hold biometric data to develop and publish policies, establish a retention schedule and data destruction guidelines within certain timeframes. There are exceptions to the policy requirements for businesses only using biometrics from employees or for internal operations.

Photographs and audio recordings do not, in and of themselves, count as biometric data.

Consent must be collected, whether in written or digital form, and restrictions would be applied to disclosing or selling biometric data. Data storage and transmission would have to meet a set of security requirements.

Providing a service can also not be made conditional on supplying biometric data, unless the service cannot be delivered without it.

A private right of action is included, and the rules would also be enforceable through the Maryland Consumer Protection Act.

Public sector entities are not covered under the act.

Mississippi introduces biometrics act

Mississippi State Legislature has introduced the Biometric Identifiers Privacy Act to regulate the collection and use of biometrics by private sector entities.

HB 467 would require private organizations to develop and publish policies for the biometric data they hold, including a retention schedule and data destruction policy.

The ‘Biometric Identifiers Privacy Act’ would also require written consent from biometric data subjects. Employee biometrics can be collected, but with restrictions, such as on the retention of data that could be used to track them.

Individuals or their legal representatives can also demand information about what biometrics of theirs are held, the source of the data, what it has been used for, whether it was disclosed to any third parties, and if so who those third parties are.

Rather than placing a right of action under the act with either individuals or the State Attorney General, both will be able to sue under the proposed law.

Who should be involved in enforcement actions has been one of the points of division in proposed state laws on biometric data privacy, with some following Illinois in allowing private action. Some state bills, meanwhile, like Colorado’s, focus on restricting facial recognition.

If passed, the law will come into effect halfway through 2023.

Nebraska legislators, meanwhile, are considering the Personal Privacy Protection Act, which would restrict the collection of personal information by public agencies.

Article Topics

biometric identifiers  |  biometrics  |  data protection  |  digital identity  |  legislation  |  regulation  |  United States