The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
The past few years has seen several states in the U.S. adopt, or look to adopt biometric privacy legislation that dictates what type of facial, fingerprint, or retinal data organizations can collect, use, and store.
A handful of states are following in the footsteps of states that have passed biometric privacy legislation like Illinois, Texas, and Washington and plotting bills of their own.
As a first step, many states have expanded how they define "personal information" under their state data breach notification laws to include biometric information or enacting entirely new legislation around biometric data.
The basis for a lot of the legislation is the Illinois' Biometric Information Privacy Act, a law - the first of its kind in the U.S. - passed way back in 2008. The law regulates biometric data usage, limiting state-level protections regarding individuals' biological characteristics.
The legislation survived a scare earlier this year following a case involving a Six Flags amusement park that fingerprinted a 14 year old child without parental approval. While the amusement park contested that it couldn't be held liable unless there was a "tangible injury from the unauthorized collection," the Illinois Supreme Court dismissed the case, stressing that “a person need not have sustained actual damage beyond violation of his or her rights under the Act.” (.PDF)
As Reed Smith LLP, a law firm based in Pittsburgh, Penn. notes, there's pending legislation on the books in half a dozen other states, including Alaska, Arizona, Massachusetts, Michigan, New Hampshire, and New York - in addition to New York City proper.
New York State, it's worth mentioning, already includes biometric data as information under its data breach notification law under the Stop Hacks and Improve Electronic Data Security or SHIELD Act, signed into law last month.
Arkansas, the only other state than California to have passed biometric data legislation, expanded how it defines personal information to include biometric data in April this year. Subsequently, it also expanded data breach notication requirements to include the same information.
California's law, codified in 1798.100. (a) of the California Civil Code – part of the California Consumer Privacy Act (CCPA) - specifies that a consumer “shall have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.”
As it stands, the legislation applies to any for-profit entity that collects a consumer’s personal information and does business in California with an annual gross revenue in excess of $25 million; buys, receives, shares, or sells the personal information of more than 50,000 customers; or derives 50 percent or more annual revenue from selling consumers’ personal information. CCPA goes into effect on January 1, 2020 but still faces a number of hurdles, including a deluge of currently in flux amendments.
Texas’ law, Capture or Use of Biometric Identifier Act (CUBI), is similar in the sense that it requires organizations to provide notice and obtain an individuals’ consent before collecting their biometric data. While there’s no private right of action, it also prohibits the sale, lease, and disclosure of biometric data unless an organization has obtained consent. Washington’s law, Washington: Wash. Rev. Code 19.375.010, is more or less the same with one exception: It does allow for collection and use of biometric identifiers for “security purposes.”
Still, Illinois' law remains the benchmark in many ways. Under BIPA, there's a private right of action and a low threshold for allegation of injury. The law also applied to employers. Entities that are found in noncompliance could fine themselves fined $1,000 – $5,000 for each improper collection of biometric information or biometric identifiers.
Even if organizations don't have employees or consumers in any of the states where legislation is pending, if an organization collects sensitive biometric data - like a fingerprint, retinal image, facial scan, or iris image - they should consider reviewing some of these laws, or at least ensure they have a strong form of data protection in place in order to safeguard the data or demonstrate compliance.
Handprint image via Alexander Mueller, Flickr, Creative Commons