Biometric Date Regulations Likely to be passed in New York and Maryland
New York and Maryland have been deliberating upon passing of bills, namely Biometric Privacy Act (Assembly Bill 27) and Biometric Identifiers and Biometric Information Privacy Act (House Bill 218), respectively, seeking to regulate biometric data collection. At the moment, three states, viz. Illinois, Texas and Washington, have active biometric privacy laws.
The wide use of this technology has raised privacy concerns among many people, since the misuse of the same can lead to severe mishandling of sensitive data and even identity theft. Moreover, if biometric technology is compromised, it will never again be a secured method of authentication and would be far more damaging than theft or mishandling of other types of data, such as the credit card number of a person. Therefore, it becomes immensely important for each state to enact a biometric privacy law which would ensure protection of a person’s biometric data.
A usual biometric privacy regulation regulates the manner of handling and safeguarding the data by the organization. Generally, the regulation covers collection, retention, destruction, notice procedures, sale, and data protection of the data. Illinois was the first to pass a law regulating the biometric data in the year 2008. The Illinois regulation, 740 ILCS 14, is considered to be the strictest of the three active state statutes and is also the only one which allows a private right of action. If the biometric data centric regulation is passed in New York and Maryland, it would allow affected consumers to sue organizations which have failed to handle the biometric data as per the enacted regulations. The proposed bills of the two states are quite identical to the Illinois statute in several ways. For instance, under the Illinois regulation, the organizations doing business in the state would be required to implement policies regarding retention of biometric data, which includes timelines for data retention or destruction and guidelines on when it is appropriate to store or destruct the data. A similar provision is included in the bill proposed in New York and Maryland. Other common features between the Illinois regulation and the proposed bills are banning the sale or profit from another person’s biometric data, consumer content for disclosure of biometric data, and the emphasis on data protection. The other two active state statutes, i.e. of Texas and Washington, have some overlapping features. However, both the state statutes do not provide for private right of action and policy requirements, which makes them far less restrictive.
As the proposed bills provides for private right of action, it is anticipated that the courts would face a huge wave of class action claims against organizations doing businesses in Maryland and New York that would fail to abide the biometric data protection regulations. A similar wave has already been faced by the Illinois courts with an exceptional increase in class actions against improper collection of biometric data. In fact, the Illinois Supreme Court held that even a mere violation of individual privacy right is enough to initiate a class action under the biometric privacy law. It thereby waived off the need of proving an actual injury from the privacy breach. For instance, an organization collecting fingerprints of a person without his/her consent, can be a sufficient cause of action for exercising private right of action.
As seen in Illinois, the class actions against the organizations breaching the biometric data regulation resulted in astronomical monetary fines. The Illinois statute and the proposed bills allow $1,000 for each violation and $5,000 if the violations were intentional or reckless. The class actions against such organizations have a high rate of succeeding and devastating the organization financially, as the claimants do not even have to prove an actual injury from the data breach. As the concern for privacy is growing, the class actions against the defaulting organizations would continue to grow. Therefore, the organizations should gear up and work towards protection of their consumer’s data.
Therefore, with such dire consequences, the organizations in every state should be proactive and should indulge in practices such as developing comprehensive biometric data policies, ensuring proper data security of biometric data, providing notice of biometric data collection, obtaining written consent before collection of biometric data and refraining from selling the collected data.