A Host of Biometric Privacy/Facial Recognition Bills Currently Circulating in State Legislatures
We’ve written extensively about the numerous lawsuits, dismissals and settlements surrounding the Illinois Biometric Information Privacy Act (BIPA). The statute, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice and consent and data retention requirements. The statute contains defined terms and limitations, and parties in ongoing suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute. Moreover, in two instances in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing.
Thus, the epicenter of biometric privacy compliance and litigation has been the Illinois statute. A Texas biometric statute offers similar protections, but does not contain a private right of action.
The biometrics landscape may be about to get more complicated. An amendment has been proposed to the Illinois biometric privacy, and a number of biometric privacy bills mostly resembling BIPA have been introduced in other state legislatures. While most of the new proposed statutes are roughly consistent with the Illinois statute, as noted below, the Washington state proposal is, in many ways, very different. If any or all of these bills are enacted, they will further shape and define the legal landscape for biometrics.
These bills include:
Alaska (HB 72): Similar to BIPA, the Alaska bill prohibits the collection of an individual’s biometric data for use in a biometric system without proper notice and consent, requires timely disposal after the data is no longer needed, and provides for a private right of action. The bill is currently in committee.
Connecticut (Proposed HB 5522): This proposed House bill would aim to prohibit retailers from using facial recognition software for marketing purposes. It should be noted that the same legislator had introduced a bill in 2016 that failed to achieve passage and would have prohibited capture and use of a biometric identifier for commercial purposes without notice and consent. The 2017 bill was referred to committee.
Illinois (HB 2411): This bill would amend BIPA and provide that except to the extent necessary for an employer to conduct background checks or implement security protocols, a private entity could not require a person or customer to provide a biometric identifier or biometric information as a condition for the provision of goods or services. The text states that such amendment would not apply to companies that provide medical services, law enforcement agencies or governmental agencies. The bill has been assigned to committee.
Montana (HB 518): The bill would establish the Montana Biometric Information Privacy Act, prohibiting a private entity from collecting, storing, and using a person’s biometric data without a person’s consent and establishing procedures for the sale, disclosure, protection, and disposal of biometric information. The bill provides for a private right of action. HB 518 is currently in committee.
New Hampshire (HB 523): As with BIPA, the bill would regulate the collection, retention, and use of biometric information by individuals and private entities. The bill grants any person aggrieved by a violation a private right of action. The bill is currently in committee.
Washington (HB 1493-S): The bill states that its intended purpose is to require a business that collects and can attribute biometric data to a specific individual to provide notice and obtain consent from an individual before enrolling or changing the use of an individual’s biometric identifiers in a database. However, the current text contains several limitations that make it distinguishable from BIPA and soften its overall effect. For example, the bill places an exception to any notice and consent requirements when biometric data is collected and stored “in furtherance of a security purpose” (which is defined as protecting against shoplifting, fraud or otherwise “protecting the security or integrity of software, accounts, applications, online services, or any person”). The bill also provides that the prohibitions on disclosure and retention of biometric identifiers do not apply to disclosure or retention of biometric identifiers “that have been unenrolled” (a term that suggests removal of biometric template data linked to a specific individual from a database, perhaps a reference to anonymous, de-identified biometric data, though a complete interpretation would have to wait for the final statutory text). In addition, and most importantly, the bill would not provide a private right of action, as a material violation would be deemed an unfair or deceptive business practice under the state consumer protection law, enforced solely by the attorney general. The bill is pending in the House Rules Committee.
In addition, a number of states, such as Arizona and Missouri, have pending bills with respect to student privacy that contain limitations on the collection of student biometric data without parental consent.
While it is still early in the legislative process, companies that offer online or mobile services that involve the collection of covered biometric information should be aware of the proposed biometric privacy legislation being debated in a handful of statehouses. Depending on whether any of the bills are passed, entities may have to consider changes to their notice and consent practices, or decide to not collect or store biometric data at all. Moreover, while we are closely watching the current Facebook biometric privacy litigation in California, new state laws, even ones premised on BIPA, may present different legal considerations or restrictions depending on how the final statutory text differs from the Illinois law.
We will continue to closely watch legislative and other developments surrounding biometric privacy.