February 17, 2020

February 17, 2020

Subscribe to Latest Legal News and Analysis

February 14, 2020

Subscribe to Latest Legal News and Analysis

Fins to the Left; Fins to the Right – Florida Considers a Private Right of Action for Biometric Privacy Violations

And if you are collecting, storing or using biometric information of any Parrotheads, you may end up being the only bait in town. A bill to create the Florida Biometric Privacy Act was just introduced in the Sunshine State Senate. (SB1270) Of concern to all “private entities” serving Florida residents, the bill would create a private right of action in circuit court for any person whose biometric data is not collected, stored or used in accordance with the new rules.

For each negligent violation, a prevailing party may receive the greater of (i) liquidated damages of $1,000 and (ii) actual damages, plus attorneys’ fees and injunctive or other relief. For reckless violations, the liquidated damages rise to $5,000 per violation.

If passed, the Florida Act would become the second state, following Illinois, to give plaintiffs a private cause of action for biometric privacy violations. The Florida bill has a proposed effective date of October 1, 2019, and closely tracks the Illinois statute.

Generally, the new Act requires private entities that have either “biometric identifiers” or “biometric information” to establish a publicly available written policy establishing a retention schedule and guidelines for destroying that information and identifiers. Destruction will have to occur on the earlier of the time the original purpose of the collection is satisfied and three (3) years after the last interaction with the individual.

Businesses that collect or store biometric information or identifiers must:

  • Inform the individual of the collection or storage,

  • Inform the individual of the purpose and length of time the information or identifiers will be collected, stored or used, and

  • Obtain a written release from the individual for such collection, storage or use

Covered entities must use a “reasonable standard of care within the private entity’s industry” to protect biometric information and identifiers and at least the same standard of care that the entity used to protect “other confidential and sensitive information.”

Sale of biometric identifiers and information is prohibited. Disclosure of such information can only occur with the subject’s consent, where required by law, pursuant to a warrant, or when it completes a financial transaction initiated by the subject.

Financial institutions covered by GLB and contractors and agents of state agencies are excluded from coverage. These new restrictions would be in addition to HIPAA obligations.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Philip Gura, Womble Dickinson Law Firm, Atlanta, Cybersecurity Law Attorney
Of Counsel

Phil Gura has more than 30 years of experience helping companies manage privacy, data security, governance and regulatory compliance challenges. For the past 15 years, he has served as the Chief Legal Officer of major corporations, including Merchant Customer Exchange LLC (MCX), RaceTrac Petroleum Inc. and LaRoche Industries, Inc. His in-house experience includes managing and directing corporate governance, regulatory/compliance, privacy/ data security and intellectual property efforts.

Phil most recently served as Chief Legal Officer of Sionic...

Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude