A National Approach to Biometric Privacy
In August, Senators Bernie Sanders (I-VT.) and Jeff Merkley (D-OR.) introduced the National Biometric Information Privacy Act of 2020 (NBIPA), which serves to regulate the collection, retention, disclosure and destruction of biometric information. While NBIPA is awaiting Congressional consideration, its potential effects and nationwide extension make it noteworthy.
As currently drafted, NBIPA limits the collection of personal information to valid business purposes, prohibits the inclusion of written releases in employment contracts, and builds on the Illinois Biometric Information Privacy Act in two major ways. First, NBIPA requires all businesses, regardless of size, to obtain consumers’ opt-in consent before collecting, sharing or using their biometric data, inform consumers of the use and length of term of biometric data, develop and publish a data retention schedule and guidelines for destroying biometric data, and obligates businesses to store, transmit, and protect biometric data in the same or in a more stringent manner as is done for other confidential and sensitive information. Second, NBIPA not only creates enforcement by state attorneys but also creates a private right of action for individuals even if the injury is only a technical violation that does not result in actual damages.
NBIPA’s “Right to Know” section borrows language from the California Consumer Privacy Act (CCPA) and requires businesses to disclose, free of charge, biometric data or personal information to consumers upon their request. While NBIPA defines biometric identifiers to include eye scans, voiceprints, faceprints, fingerprints, it leaves the definition of personal information open to interpretation.
Importantly, NBIPA requires compliance within 60 days of its enactment. As a result, businesses should closely monitor the progress of this legislation and begin preparing an action plan in advance of enactment because there will be a short window within which to become compliant.
NBIPA is another of several privacy acts that have been proposed in Congress, including the recent bills co-sponsored by Senator Merkley, the Facial Recognition and Biometric Technology Moratorium Act and the Ethical Use of Facial Recognition Act. With increasing support from various organizations, and as states including Texas, New York, Washington, and Arkansas continue to legislate biometrics, we can expect to see this Act or an amended version proposed and passed in the future.
We anticipate the Act will undergo intense scrutiny and revision as it makes its way through the legislative process. One particularly contentious issue is likely to be whether the final version of NBIPA will continue to include a private right of action, which would allow consumers to bring a class action for alleged violations of the statute, similar to Illinois’ BIPA. This Illinois provision enabled consumers to obtain a $650 million settlement from Facebook in a recent case in the Ninth Circuit. If NBIPA is enacted, it may limit enforcement exclusively within federal administrative agencies, nullifying any private of action.
Another key element of the Illinois law certain to face scrutiny before NBIPA becomes law is the absence of an actual damage’s requirement. Proof of actual harm or injury is not required in Illinois and this element will also impact the prevalence of prospective future national litigation. Additional elements such as the “Right to Know” requirement of the CCPA may result in a more wide-ranging federal law. These potential differences between state laws such as Illinois’ BIPA and California’s CCPA and any potential federal law will be particularly relevant depending on whether a federal privacy law will preempt state law. Such a federal preemption would eliminate or reduce the states’ ability to establish independent biometric laws inconsistent with the federal law. As currently written, NBIPA permits states to impose more stringent laws, which if passed, would require businesses to comply with both the federal law and the potentially higher standards established by state laws.
Segal McCambridge is here to help your business navigate this emerging landscape.
 For further analysis read here: http://www.smsm.com/blogs-litigationblog,cyber-risk-client-alert-actual-harm-is; http://www.smsm.com/blogs-litigationblog,technology-cyber-risk-client-alert-illinois-appellate
 A recent Fifth District Appellate Court decision in Illinois held that the exclusivity provision of the Illinois’ Workers Compensation Act does not bar employees’ statutory damages claims for violations of BIPA in Illinois. Read more here: http://www.smsm.com/blogs-litigationblog,illinois-appellate-court-eliminates-key-defense-BIPA
- Limitations for Policyholders Seeking Coverage in Employment-Related BIPA Cases
- Vaccine Mandates in the Workplace Are Spreading
- The Death of Impartiality - "Dr. Death," Reptilian Tactics, and Fighting Juror Bias
- Considerations That Employers Should be Mindful of as Employees Return to the Office
- A Win for Policyholders Seeking Coverage in a BIPA Class Action Suit
- Reasonable Disagreement or Fraud? Competing Estimates of Property Damage in First Party Claims
- Malpractice Mayhem: An Insurer's Standing to Sue Counsel Retained to Defend Its Insured
- Prejudgment Interest Now a Reality in Illinois
- Florida NIL Legislation: What to Expect in the Coming Weeks
- Texas Supreme Court Clarifies Medical Billing Affidavit Procedure
- Professional Liability
- Class Action
- Complex Commercial Litigation
- Insurance & Reinsurance Litigation & Counseling
- Insurance Coverage
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Employment Litigation & Counseling
- Medical Negligence & Healthcare Liability
- Pharmaceutical & Medical Device Litigation
- Product Liability
- Construction Litigation & Counseling
- Social Media & Privacy
- Discrimination, Harassment & Hostile Workplace Claims
- Workers' Compensation