US states keep whacking at biometric privacy laws

This year could be a big one for state-level biometric privacy legislation in the U.S. Illinois’ landmark BIPA could be defanged and other significant legislative moves are already on the books.

Here’s a summary of three states’ current efforts.

First, Illinois continues to play with the idea of making its Biometric Information Privacy Act more acceptable to businesses that collect identifiers.

The biggest complaint of executives is, of course, the right that BIPA gives to plaintiffs to seek cumulative damages for every illegal biometric scan performed by a company. Proponents of the law say the level of risk a person faces if a biometric template is stolen requires businesses face a big financial risk if they use, lose or misuse biometrics.

Indeed, it could push some payouts to truly breathtaking levels when, for instance, a large business does not get consent from employees to be scanned every time they sign on for a shift or sign out.

State Sen. Bill Cunningham has posted a summary of Senate Bill 2979 that would restrict violations to per-employee rather than per-scan.

In his statement, Cunningham says Illinois has “arguably the strongest digital privacy laws in the nation.” Maybe too strong, he says.

Privacy guarantees will remain the same, according to Cunningham, but punish violating businesses fairly.

The right of action, the second major complaint businesses have with BIPA, remains in the bill.

Out in the Mountain West, twin biometric privacy bills have been introduced in the Colorado Legislature.

House Bill 24 – HB 1130 creates rules for lawful biometrics collection, but at least at this state in the bill’s life, nothing is said about punishment for violations.

Many of the provisions of the bill are side issues, like requiring business to have relevant written policies that include, for example, a schedule for data destruction. And identifiers couldn’t be trafficked.

Businesses also would be required to create a response protocol for breaches, a provision that is not common among other states enacting privacy acts. They’d also have to get written consent prior to collection.

Identifier owners or their legal representative would have the right to update the data.

And employers would be restricted in how identifiers can be used – for IAM and keeping time on the premises. But they would be forbidden from using biometrics to, essentially, manage workers by physically tracking them in real time.

Last is a biometrics privacy bill signed into law last month in New Jersey. This one has an interesting scope.

It governs only the consumer data that has been collected by a company “for the purpose of selling the consumer’s information.”

In a statement released by the governor’s office, State Sen. Paul Moriarty said “In a time when personal data is a valuable commodity, safeguarding personal data is more important than ever.”

The law also requires collecting businesses (but not nonprofits) to post a conspicuous link through which consumers can opt out of harvesting.

Article Topics

biometric data  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  Colorado  |  data privacy  |  legislation  |  New Jersey  |  United States