- NY Attorney General Offers Guidance on Dealing with Credential Stuffing
- “Silent Cyber” Continues to Make Noise in State Appellate Courts
- The FBI Warns M&A Participants on the Increasing Ransomware Threat
- FTC Updates Safeguards Rule for Non-Banking Financial Institutions
- The DOJ’s Civil Cyber-Fraud Initiative
- The Framework of a Tort-Claim Safe Harbor
- OFAC Issues Updated Ransomware Advisory
- COVID-19 Operations: How to Keep Vaccine-Related Data Safe
- Colorado Passes Comprehensive Consumer Privacy Law
- Understanding National Security Implications of Sensitive Data
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
New York And Maryland Propose BIPA-Like Biometric Privacy Bills
New York Assembly Bill 27—introduced on January 6, 2021—seeks to amend the New York general business law in relation to biometric privacy. Similarly, Maryland House Bill 218—introduced on January 13, 2021—proposes biometric privacy regulations on private entities in Maryland.
Like the Illinois Biometric Information Privacy Act (“BIPA”), both the New York Biometric Privacy Act and the Maryland Biometric Identifiers and Biometric Information Privacy Act provide a private right of action, minimum statutory liquidated damages of $1,000.00 or $5,000.000, and attorney’s fees and costs to a prevailing party. Combined, these provisions form an attractive incentive for class action litigants. The plaintiff’s class action bar has filed hundreds of BIPA class actions and recovered hundreds of millions of dollars in settlements in Illinois alone.
There are other similarities between BIPA, the New York Biometric Privacy Act, and the Maryland Biometric Identifiers and Biometric Information Privacy Act. All three acts include maximum biometric data retention periods of three (3) years following an individual’s last interaction. All three acts exclude from liability state and local government units and entities that are subject to the Gramm-Leach-Bliley Act.
But the laws are not exact BIPA carbon copies. While both BIPA and the New York Biometric Privacy Act require private entities to obtain prior written consent before capturing and collecting an individual’s biometrics, the Maryland Biometric Identifiers and Biometric Information Privacy Act only requires a written release prior to disclosing, disclosing, or otherwise disseminating biometrics.
The New York Biometric Privacy Act borrows its definition of “biometric identifier” from BIPA by defining the same as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The Maryland Biometric Identifiers and Biometric Information Privacy Act defines biometric identifier more broadly than BIPA and New York. Maryland proposes that “biometric identifier” means:
“[T]he data of an individual generated by automated measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individuals identity.”
Maryland’s definition includes both a signal phrase that the list is not inclusive, as well as a catchall term for potentially other types of identifiers that are not listed. Both laws broadly define biometric information in the same manner as BIPA, i.e. as any information—regardless of how it is captured, converted, stored, or shared—based on a biometric identifier used to identify an individual.
Finally, all three—BIPA, New York, and Maryland—require a private entity in possession of biometrics to develop a publicly available biometric data retention policy, but Maryland’s law includes an exception to this requirement. A private entity is not required to make its biometric data policy publicly available if the policy applies “only to the employees of the private entity” and is “used solely for internal company operations.” This exclusion may provide a welcomed reprieve to Maryland employers.
Pending Federal Regulation
The National Biometric Information Privacy Act of 2020 (“NBIPA”) has been pending in the United States Senate since it was introduced on August 3, 2020. There are key similarities and differences between NBIPA and state analogs.
Like BIPA and other state biometric privacy laws, NBIPA attempts to regulate the biometric data practices of private entities. NBIPA requires covered entities to obtain informed written consent prior to collecting or capturing biometrics, as well as imposes retention, disclosure, and destruction requirements. NBIPA excludes federal, state, and local government units and their contractors, but rather than exclude entities that are subject to Gramm-Leach-Bliley, NBIPA instead provides that its provisions “may not construed” to conflict with the GLBA. Additionally, NBIPA provides that it does not preempt or supersede any federal, state, or local law that imposes more stringent limitations on the collection, retention, disclosure, and destruction of biometric information.
NBIPA also provides a private right of action for violations. Notably, NBIPA expressly states that a violation of its provisions “constitutes an injury-in-fact and a harm to any affected individuals,” effectively nipping in the bud any of the Article III or standing issues that dominated early BIPA litigation in Illinois. Like BIPA, NBIPA provides minimum statutory damages of $1,000.00 or $5,000.00.
Finally, NBIPA employs a broad approach in defining covered data. Under NBIPA, “biometric identifier” includes “a retina or iris scan, a voiceprint, a faceprint (including any faceprint derived from a photograph), fingerprints or palm prints, and any other uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristic of an individual[.]” Not only does NBIPA include for the possibility of photographs as forming the basis for actionable data processing, but also includes a catchall for additional identifying features.
While the likelihood of a federal biometric privacy coming to fruition in the near term remains an open question, the introduction of such legislation—particularly with a private right of action, minimum statutory damages, and a statement of injury-in-fact—highlights the growing domestic and international trend towards recognizing the sensitivity and immutability of biometric data and equipping data subjects with the information necessary to make an informed decision.
Private entities of all sizes doing business in New York or Maryland should keep a close eye on these pending biometric privacy bills. If Maryland House Bill 218 passes, it will take effect January 1, 2022. New York Assembly Bill 27 will take effect just ninety days (90) after passage.
Entities outside of New York and Maryland (and Illinois and Texas and Washington . . .) should not fall asleep at the wheel either. Other jurisdictions will undoubtedly follow suit to formally regulate biometric data, whether through standalone legislation or amendments to bring biometric data within the regulatory scope of existing laws. There is also the ever-present chance that regulation at the federal level—such as NBIPA—gains traction.
Attorneys in Honigman’s Data, Privacy, and Cybersecurity group have extensive biometric privacy counseling experience. We have advised clients on biometric data collection, use, transfer, and retention practices, defended clients facing class action liability, and counseled on biometric use-cases and compliance strategies across a wide range of industries.