Missouri moves closer to a biometric privacy act

Three Missouri bills, House Bill 407, House Bill 500, and Senate Bill 554, have passed second readings as part of a broader legislative effort that is designed to regulate the collection, storage, and use of biometric data by businesses and organizations. The legislation is aimed at establishing the Biometric Information Privacy Act, which follows in the footsteps of Illinois’ BIPA, which has set a precedent for biometric privacy laws in the United States.

With growing concerns over data security and privacy rights, Missouri’s legislation aims to provide clear guidelines for the handling of sensitive biometric data such as fingerprints, facial recognition scans, iris scans, voiceprints, and other unique biological identifiers.

HB 407 and HB 500 propose adding six new sections to the Missouri Revisor of Statutes, defining “biometric information,” and establishing requirements for private entities to develop a public written policy for the retention and destruction of biometric data. SB 554 also requires a written public policy for data retention and destruction, but adds provisions for informed consent, prohibition of data sale, and standards of care for data storage and protection.

HB 407 and HB 500 define “biometric information” as any information, regardless of how it is captured, converted, stored, or shared, that is based on an individual’s biometric identifier and is used to identify an individual.

The primary objective of the Missouri BIPA is to safeguard individuals from unauthorized or unethical use of their biometric information. The law mandates that entities collecting such data must first obtain explicit consent from individuals. This consent must be informed, meaning businesses must clearly disclose the purpose and duration for which the data will be collected, stored, and used. Transparency is a crucial aspect of the act, ensuring that individuals have full awareness and control over their biometric data.

In addition to obtaining consent, the legislation would impose strict regulations on the retention and destruction of biometric information. HB 407 and HB 500 mandates that any private entity possessing biometric identifiers or biometric information must create a publicly available written policy outlining a retention schedule and procedures for the permanent disposal of such data.

This policy must ensure that biometric identifiers and information are destroyed either once their original purpose has been fulfilled or within one year of the individual’s last interaction with the entity, whichever comes first. Unless a valid court-issued warrant or subpoena is presented, private entities must adhere strictly to their established retention and destruction policies.

SB 554 also establishes regulations for private entities that collect and possess biometric information, as well as a cause of action for violations of the act. Under this legislation, private entities must develop a publicly available written policy outlining a retention schedule and procedures for the permanent destruction of biometric information.

A private entity may not collect, capture, purchase, receive, or otherwise obtain biometric information unless the individual whose information is being obtained is informed in writing that their biometric data is being collected or stored. The individual must also be notified of the specific purpose and duration for which their biometric data will be collected, stored, or used, and must provide written consent.

Entities in possession of biometric information are prohibited from disclosing an individual’s biometric data unless the individual provides written authorization, the disclosure is necessary to complete a financial transaction requested or authorized by the individual, the disclosure is required by law, or the disclosure is mandated by a valid warrant or subpoena.

Additionally, private entities are not permitted to sell, lease, or trade biometric information. When storing or transmitting biometric data, private entities must follow the reasonable standard of care applicable to their industry and must protect biometric information with security measures at least as stringent as those used for other confidential and sensitive data.

Under SB 554, private entities cannot condition the provision of goods or services on the collection, use, disclosure, transfer, sale, retention, or processing of biometric identifiers unless such identifiers are strictly necessary for providing the goods or services. Furthermore, an entity may not impose different pricing or alter the quality of goods or services for individuals who exercise their rights under this legislation.

Security measures are another critical component of the bills. Organizations handling biometric data would be required to implement stringent security protocols to protect data from unauthorized access, breaches, or leaks. The act also requires businesses to use industry-standard security practices and encryption methods to ensure that biometric data remains confidential and secure. The law also would prohibit companies from selling, trading, or profiting from individuals’ biometric information.

One of the most significant aspects of Missouri’s BIPA legislation is its enforcement mechanism. The legislation would allow individuals to take legal action against entities that violate their provisions. This private right of action would enable affected individuals to sue businesses for damages, which would include statutory fines and actual financial losses resulting from improper use or disclosure of biometric data.

Violations of SB 554 would allow for legal action with potential damages ranging from $1,000 to $5,000, attorney’s fees, and other appropriate relief. This provision serves as a strong deterrent against potential violations and ensures that companies take compliance seriously.

Missouri’s BIPA also has implications for a wide range of industries, particularly those that rely on biometric authentication for security, workforce management, and customer verification. Employers using fingerprint or facial recognition systems for timekeeping, retailers implementing biometric payment methods, and healthcare providers utilizing biometric patient identification systems would be required to comply with the law’s requirements. Failure to do so would result in costly legal battles and reputational damage.

While the act is designed to protect consumer privacy, it has also raised concerns among businesses regarding compliance costs and the risk of litigation. Companies operating in Missouri would have to carefully review their biometric data policies, implement necessary consent and security measures, and ensure that they align with the law’s provisions to avoid potential penalties.

Missouri’s Biometric Information Privacy Act represents a significant step toward stronger data privacy protections. By regulating the collection and use of biometric data, the law aims to strike a balance between innovation and individual privacy rights.

Article Topics

biometric data  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  data privacy  |  data protection  |  legislation  |  Missouri  |  Missouri BIPA