2021 has so far been a year of conflicting impulses in biometrics law: two proposed bills in New York and Maryland would impose substantial new requirements on private entities, but in Illinois a proposed amendment would reign in that state’s existing Biometric Information Privacy Act (BIPA).BIPA is currently the only state statute that provides a private right of action for individuals when a private entity improperly collects, stores, or discloses their biometrics. (Portland, Oregon recently enacted an ordinance prohibiting private entities from using facial recognition in places of public accommodation, and providing a private right of action for enforcement.) Since it was enacted in 2008 BIPA has become the touchstone of biometrics litigation, but its effects have largely been felt only by companies doing business in Illinois.
On January 6, 2021, A27/S1933, the Biometric Privacy Act, was introduced in New York and referred to committee. Soon after, on January 13, HB218/SB16, the Biometric Identifiers and Biometric Information Privacy Act, was introduced in Maryland. HB218 was quickly withdrawn by its sponsor in the state house, but SB16 remains in committee in the state senate.
Both proposed state bills mirror BIPA in nearly all respects. Like BIPA, each would impose various requirements on private entities with respect to “biometric identifiers” and “biometric information,” and create a private cause of action awarding liquidated damages for any violation, and attorneys’ fees. As multiple defendants in BIPA class-actions could attest, such legislation if enacted could lead to waves of new litigation with the potential for astronomical damages figures for any companies who do not come into compliance.
While New York’s proposed law is substantially a copy of BIPA, Maryland’s differs in three key respects. First, BIPA only covers a narrow class of biometrics: retina, iris, hand, and facial scans, and finger and voiceprints, subject to various exclusions. SB16, however, proposes to broadly cover any “unique biological characteristic that can be used to uniquely authenticate the individual’s identity,” including genetic information (subject to the same exclusions set forth in BIPA). SB16, then, could broaden the frontiers of biometric privacy liability to new classes of companies—including DNA genealogy services. Second, while each bill, like BIPA, would require companies to develop, publish, and comply with a biometric data retention and destruction policy, SB 16 would not require publication of purely internal or employee-related policies. Finally, unlike BIPA and New York’s bill, SB16 would not impose any requirements for the initial collection of biometrics—just on their later use and storage.
Both bills envision a relatively short compliance period—A27/S1933 would become effective 90 days after enactment, and SB16 would take effect on January 1, 2022.
Comparison of New York and Maryland proposed bills with BIPA (differences in blue)
NY A27/S1933 | MD SB16 | IL BIPA | |
Definition of biometric identifier | A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry; subject to various exclusions. | Data of an individual generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individual’s identity; subject to various exclusions. | A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry; subject to various exclusions. |
Definition of biometric information | Information based on an individual’s biometric identifier used to identify an individual; does not include information derived from items or procedures excluded under definition of biometric identifiers. | Information based on an individual’s biometric identifier used to identify an individual; does not include information derived from items or procedures excluded under definition of biometric identifiers. | Information based on an individual’s biometric identifier used to identify an individual; does not include information derived from items or procedures excluded under definition of biometric identifiers. |
Applicability | Private entities (any individual, partnership, corporation, limited liability company, association, or other group, however organized). | Private entities (any individual, partnership, corporation, limited liability company, association, or other group, however organized). | Private entities (any individual, partnership, corporation, limited liability company, association, or other group, however organized). |
Obligations | (1) Develop, publish, and comply with a retention and destruction policy.
(2) Informed consent prior to collection (3) Restriction on trade (4) Informed consent prior to disclosure (5) Protection of data |
(1) Develop, publish, and comply with a retention and destruction policy; but publication is not required for policies limited to employees or internal operations.
(2) No collection requirement (3) Restriction on trade (4) Informed consent prior to disclosure (5) Protection of data |
(1) Develop, publish, and comply with a retention and destruction policy.
(2) Informed consent prior to collection (3) Restriction on trade (4) Informed consent prior to disclosure (5) Protection of data |
Private Cause of Action | Yes | Yes | Yes |
Damages/Penalties | $1K/$5K, or actual damages per negligent/intentional or reckless violation; plus attorneys’ fees | $1K/$5K, or actual damages per negligent/intentional or reckless violation; plus attorneys’ fees | $1K/$5K, or actual damages per negligent/intentional or reckless violation; plus attorneys’ fees |
The impetus for the proposed bills in New York and Maryland stands in contrast to the misgivings expressed by at least some delegates to the Illinois General Assembly. On February 2, 2021, HB559 was introduced as an amendment to substantially limit the scope of BIPA. The amendment was recently re-referred to committee on April 23. Among other things, HB559 would require a new 30-day notice and cure period prior to filing suit, and would allow companies who timely cure to cut off all liability for past BIPA violations. The amendment would also limit damages to the amount of actual damages, and shorten the statute of limitations from five years to one.
Like other prior proposed bills and BIPA amendments these proposed laws may die in committee, but biometrics law continues to be a dynamic area subject to potentially significant change.