As we previously reported, the Illinois Supreme Court recently issued a landmark ruling interpreting the Biometric Information Privacy Act (BIPA). In Rosenbach v. Six Flags, the court held a violation of BIPA’s requirements, such as failing to obtain proper consent or provide an appropriate disclosure, was sufficient to give rise to a claim under the law even absent some type of actual damages or harm (e.g., identity theft). While BIPA has received the majority of public attention as a result of the more than 200 (and climbing) class actions filed under the law in the past two years, it is worth noting that Texas and Washington have similar laws in force. However, these laws lack two of BIPA’s critical elements; namely, they do not provide a private right of action and do not require prior written consent to the collection of biometric information from subject individuals.
As BIPA litigation continues to increase in Illinois, more states are considering legislation to regulate the collection of biometric data, including:
- Massachusetts: The most recent privacy bill to encompass biometric information is a hybrid of the BIPA and Texas/Washington models, but is not limited solely to biometric data. The bill requires companies collecting consumer personal information—which includes all information “relating to an identified or identifiable consumer” including biometric data—to put the individual on notice of the data collection before or at the time of collection, respond to opt out requests, and provide the individual with the right to access and/or delete the collected data. The bill provides a private right of action, but it does not require affirmative written consent.
- New York: New York lawmakers introduced NY SB 1203 on January 11, 2019, in an effort to establish the Biometric Privacy Act. The proposed law is substantially similar to BIPA, and includes a private right of action. This is the third year New York has tried to pass this legislation.
- Delaware: Introduced in March 2018, DE HB350 remains pending. This bill contains a notice requirement similar to BIPA, but does not require an individual’s consent to be in writing. Importantly, the bill also lacks a private right of action, with enforcement being left to the Delaware Consumer Protection Unit.
- Alaska: This bill mimics BIPA in providing a private right of action and statutory damages of between $1,000 and $5,000 depending on the type of violation. Like BIPA, this bill also requires individuals to be provided with notice of the collecting entity’s biometric privacy practices and obtain written consent. Pending since 2017, this bill has not had any action in the state legislature.
- Michigan: After being introduced in September 2017, this Michigan bill has languished in committee. Like BIPA, MI HB 5019 provides a private cause of action with statutory damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations. The bill also follows BIPA in generally requiring a written release, “or in the context of employment, a release executed by an employee as a condition of employment.”
- Other: Note that an increasing number of states are including biometric data within their definition of “personal information” in state data breach notification laws. In addition, several broader laws are pending that also regulate biometric data as well as other types of personally identifiable information.
TIP: Companies that collect, use or share biometric information (including retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry) should monitor both the proposed legislation on point, as well as the active litigation in Illinois. As noted in our previous briefing, there is no firm consensus as to what constitutes sufficient notice and consent to satisfy the BIPA requirements, and litigation outcomes may provide some insight into courts’ and consumers’ expectations on these points.