A National Approach to Biometric Privacy
In August, Senators Bernie Sanders (I-VT.) and Jeff Merkley (D-OR.) introduced the National Biometric Information Privacy Act of 2020 (NBIPA), which serves to regulate the collection, retention, disclosure and destruction of biometric information. While NBIPA is awaiting Congressional consideration, its potential effects and nationwide extension make it noteworthy.
As currently drafted, NBIPA limits the collection of personal information to valid business purposes, prohibits the inclusion of written releases in employment contracts, and builds on the Illinois Biometric Information Privacy Act in two major ways. First, NBIPA requires all businesses, regardless of size, to obtain consumers’ opt-in consent before collecting, sharing or using their biometric data, inform consumers of the use and length of term of biometric data, develop and publish a data retention schedule and guidelines for destroying biometric data, and obligates businesses to store, transmit, and protect biometric data in the same or in a more stringent manner as is done for other confidential and sensitive information. Second, NBIPA not only creates enforcement by state attorneys but also creates a private right of action for individuals even if the injury is only a technical violation that does not result in actual damages.
NBIPA’s “Right to Know” section borrows language from the California Consumer Privacy Act (CCPA) and requires businesses to disclose, free of charge, biometric data or personal information to consumers upon their request. While NBIPA defines biometric identifiers to include eye scans, voiceprints, faceprints, fingerprints, it leaves the definition of personal information open to interpretation.
Importantly, NBIPA requires compliance within 60 days of its enactment. As a result, businesses should closely monitor the progress of this legislation and begin preparing an action plan in advance of enactment because there will be a short window within which to become compliant.
NBIPA is another of several privacy acts that have been proposed in Congress, including the recent bills co-sponsored by Senator Merkley, the Facial Recognition and Biometric Technology Moratorium Act and the Ethical Use of Facial Recognition Act. With increasing support from various organizations, and as states including Texas, New York, Washington, and Arkansas continue to legislate biometrics, we can expect to see this Act or an amended version proposed and passed in the future.
We anticipate the Act will undergo intense scrutiny and revision as it makes its way through the legislative process. One particularly contentious issue is likely to be whether the final version of NBIPA will continue to include a private right of action, which would allow consumers to bring a class action for alleged violations of the statute, similar to Illinois’ BIPA. This Illinois provision enabled consumers to obtain a $650 million settlement from Facebook in a recent case in the Ninth Circuit. If NBIPA is enacted, it may limit enforcement exclusively within federal administrative agencies, nullifying any private of action.
Another key element of the Illinois law certain to face scrutiny before NBIPA becomes law is the absence of an actual damage’s requirement. Proof of actual harm or injury is not required in Illinois and this element will also impact the prevalence of prospective future national litigation. Additional elements such as the “Right to Know” requirement of the CCPA may result in a more wide-ranging federal law. These potential differences between state laws such as Illinois’ BIPA and California’s CCPA and any potential federal law will be particularly relevant depending on whether a federal privacy law will preempt state law. Such a federal preemption would eliminate or reduce the states’ ability to establish independent biometric laws inconsistent with the federal law. As currently written, NBIPA permits states to impose more stringent laws, which if passed, would require businesses to comply with both the federal law and the potentially higher standards established by state laws.
Segal McCambridge is here to help your business navigate this emerging landscape.
 For further analysis read here: http://www.smsm.com/blogs-litigationblog,cyber-risk-client-alert-actual-harm-is; http://www.smsm.com/blogs-litigationblog,technology-cyber-risk-client-alert-illinois-appellate
 A recent Fifth District Appellate Court decision in Illinois held that the exclusivity provision of the Illinois’ Workers Compensation Act does not bar employees’ statutory damages claims for violations of BIPA in Illinois. Read more here: http://www.smsm.com/blogs-litigationblog,illinois-appellate-court-eliminates-key-defense-BIPA
- Green Development Risks
- A Question of Timing: Policy-Limit Demands and Insurer Bad Faith in Florida
- CUBI: Everything You Need to Know About Texas' Biometric Law and Beyond...
- Prejudgment Interest Starting as Early as the Time of Injury? At a Rate of 9% Interest? A Bill Sits on Illinois’ Governor’s Desk.
- Now That Vaccine Distribution Has Begun, What Issues Do Employers Face?
- Immunity From Liability For Healthcare Facilities and Healthcare Professionals in the Continuing Battle Against the Covid-19 Pandemic
- Illinois Appellate Court Says the Learned Intermediary Doctrine Does Not Shield a Device Manufacturer from Liability When a Doctor is Deceived About a Device’s Prior Testing and Suitability
- Remote Jury Selection by Video Conferencing
- Illinois Appellate Court Eliminates Key Defense to BIPA Claims
- Professional Liability
- Class Action
- Insurance & Reinsurance Litigation & Counseling
- Insurance Coverage
- Complex Commercial Litigation
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Medical Negligence & Healthcare Liability
- Pharmaceutical & Medical Device Litigation
- Product Liability
- Social Media & Privacy
- Construction Litigation & Counseling
- Discrimination, Harassment & Hostile Workplace Claims
- Workers' Compensation
- Employment Litigation & Counseling