A National Approach to Biometric Privacy

In August, Senators Bernie Sanders (I-VT.) and Jeff Merkley (D-OR.) introduced the National Biometric Information Privacy Act of 2020 (NBIPA), which serves to regulate the collection, retention, disclosure and destruction of biometric information. While NBIPA is awaiting Congressional consideration, its potential effects and nationwide extension make it noteworthy.

As currently drafted, NBIPA limits the collection of personal information to valid business purposes, prohibits the inclusion of written releases in employment contracts, and builds on the Illinois Biometric Information Privacy Act in two major ways. First, NBIPA requires all businesses, regardless of size, to obtain consumers’ opt-in consent before collecting, sharing or using their biometric data, inform consumers of the use and length of term of biometric data, develop and publish a data retention schedule and guidelines for destroying biometric data, and obligates businesses to store, transmit, and protect biometric data in the same or in a more stringent manner as is done for other confidential and sensitive information. Second, NBIPA not only creates enforcement by state attorneys but also creates a private right of action for individuals even if the injury is only a technical violation that does not result in actual damages.[1]

NBIPA’s “Right to Know” section borrows language from the California Consumer Privacy Act (CCPA) and requires businesses to disclose, free of charge, biometric data or personal information to consumers upon their request. While NBIPA defines biometric identifiers to include eye scans, voiceprints, faceprints, fingerprints, it leaves the definition of personal information open to interpretation.

Importantly, NBIPA requires compliance within 60 days of its enactment. As a result, businesses should closely monitor the progress of this legislation and begin preparing an action plan in advance of enactment because there will be a short window within which to become compliant.

NBIPA is another of several privacy acts that have been proposed in Congress, including the recent bills co-sponsored by Senator Merkley, the Facial Recognition and Biometric Technology Moratorium Act and the Ethical Use of Facial Recognition Act. With increasing support from various organizations, and as states including Texas, New York, Washington, and Arkansas continue to legislate biometrics, we can expect to see this Act or an amended version proposed and passed in the future.

We anticipate the Act will undergo intense scrutiny and revision as it makes its way through the legislative process. One particularly contentious issue is likely to be whether the final version of NBIPA will continue to include a private right of action, which would allow consumers to bring a class action for alleged violations of the statute, similar to Illinois’ BIPA. This Illinois provision enabled consumers to obtain a $650 million settlement from Facebook in a recent case in the Ninth Circuit.[2] If NBIPA is enacted, it may limit enforcement exclusively within federal administrative agencies, nullifying any private of action. 

Another key element of the Illinois law certain to face scrutiny before NBIPA becomes law is the absence of an actual damage’s requirement. Proof of actual harm or injury is not required in Illinois and this element will also impact the prevalence of prospective future national litigation. Additional elements such as the “Right to Know” requirement of the CCPA may result in a more wide-ranging federal law. These potential differences between state laws such as Illinois’ BIPA and California’s CCPA and any potential federal law will be particularly relevant depending on whether a federal privacy law will preempt state law. Such a federal preemption would eliminate or reduce the states’ ability to establish independent biometric laws inconsistent with the federal law. As currently written, NBIPA permits states to impose more stringent laws, which if passed, would require businesses to comply with both the federal law and the potentially higher standards established by state laws.

Given the broadness of NBIPA and the increasing use of biometric data, NBIPA would apply to all types of businesses. If passed, businesses, including those that are not currently subject to state-specific biometric privacy laws, will be subject to the Act, and some may also be subject to any state or local applicable law.[3] Businesses should begin taking measures to ensure they have adequate practices and policies in place to minimize any risk from the increasing regulation of biometric data. Forward thinking businesses should consider developing a privacy policy clearly stating what data is being collected as well as a schedule for retaining and destroying this data, providing written notice of the data policy, obtaining a written release for collection of data, including an opt-out, and data security measures to safeguard biometric data.

Segal McCambridge is here to help your business navigate this emerging landscape.

[1] For further analysis read here: http://www.smsm.com/blogs-litigationblog,cyber-risk-client-alert-actual-harm-is; http://www.smsm.com/blogs-litigationblog,technology-cyber-risk-client-alert-illinois-appellate

[2] http://www.smsm.com/blogs-litigationblog,cyber-risk-client-alert-facebook-settles-its

[3] A recent Fifth District Appellate Court decision in Illinois held that the exclusivity provision of the Illinois’ Workers Compensation Act does not bar employees’ statutory damages claims for violations of BIPA in Illinois. Read more here: http://www.smsm.com/blogs-litigationblog,illinois-appellate-court-eliminates-key-defense-BIPA

Get Updates By Email

Blog Contributors