Could the right to sue remake US biometrics privacy lawsuits?

The provision in the U.S. that seems to be the biggest stumbling block for states trying to enact comprehensive biometric privacy laws is private right of action.

More state legislators were attracted to the issue of biometric privacy rights in 2023 than ever before, but many proposed bills have stalled or died in committee. All of those efforts carried core language first written in the state of Illinois 15 years ago when the landmark comprehensive Biometric Information Privacy Act became law.

Common are provisions that exempt any health care-related data, fines of $1,000 to $5,000 per violation, informed consent mandates and profiteering prohibitions.

(“Per violation” is appears in all them and few if any spell out that phrase. Defining it will save or cost defendants dearly.)

A private right of action means that individual private citizens can sue for violations or band together in class actions. The alternative to this in passed and pending legislation is giving a state’s attorney general sole authority to sue over biometric data abuses.

Business would rather no one be able to sue them at all, but the attorney general route is the preferred of the two because they can lobby AGs, who are elected, to remain passive or to cherry-pick cases to reduce their impacts if they lose. Also, they can also dissuade potential plaintiffs by collecting damages and putting them in state coffers rather than people’s hands.

What really has enraged some in the Illinois business community over BIPA is right of action. (Some proposed state laws allow for both private and state lawsuits.)

This enables anyone to sue for damages, and is coupled with “per violation” language in bills, which in the case of BIPA, has been defined as every illegal biometric scan. The result has been some comparatively huge awards in class actions.

An association of entrepreneurs, startup venture capitalist and policy analysts called Engine wrote a report this year about patchwork privacy legislation. Group members are unhappy. They would rather there be a single federal law governing this sector of the economy.

Compliance would be easier and cheaper that way. It also is easier and cheaper to try to influence one law than 50 (more likely a multiple of 50) state biometric laws, both comprehensive and sector like health care).

Engine analyzed policies in five states that have enacted comprehensive biometric privacy laws – California, Virginia, Colorado, Connecticut and Utah.

Four of the five offer no private right of action. The fifth, California, enacted a limited right.

Correlation is not causation, of course, but it is significant that one of the hated provisions of BIPA, right of action, is found far more often in unenacted laws than in successful legislation.

Arizona’s latest bill offered private right of action. As did work by Hawaii, Maine, Maryland, Missouri, Minnesota, Mississippi, New York, Tennessee and Vermont.

Notably, Kentucky has crafted a related bill that includes a right of action, but an amendment has been proposed that would remove it.

Taken together, these state-level bills could dramatically impact how biometrics are deployed and regulated across the United States as soon as 2024.

Article Topics

biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  data privacy  |  lawsuits  |  legislation  |  United States