Maryland Joins New York with a BIPA-like Biometric Privacy Bill
On January 13, House Delegate Sara Love Introduced the “Biometric Identifiers and Biometric Information Privacy Act” (the “Act”) substantially modeled after the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (the “BIPA”). Enacted in 2008, the Illinois BIPA only recently triggered an avalanche of class actions in Illinois, spurring other legislative activity, including in New York. If enacted, Maryland’s Act would become effective January 1, 2022.
Just like the BIPA and the proposed law in the Empire State, the Act would establish rules for “private entities” possessing “biometric identifiers” and “biometric information” of a person, such as:
Development of a publicly available policy establishing retention and destruction guidelines,
Mandated reasonable safeguards relating to the storage, transmission, and disclosure of such information in a manner at least as protective as for “confidential and sensitive information,” such as social security numbers and account numbers,
Prohibiting private entities from profiting from the information, and
Limited right to disclose without consent.
Unlike the BIPA, the Maryland bill would clarify the policy need not be publicly available when it applies only to employees and is used only for internal operations.
Most important, the Act also would create a private right of action for persons “aggrieved” by violations of the Act, using language similar to the BIPA, permitting persons to recover the greater of (i) statutory damages of at least $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, and (ii) actual damages.
We know the Illinois Supreme Court decided that, in general, persons bringing suit under the BIPA do not need to allege actual injury or adverse effect, beyond a violation of their rights under the BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the BIPA. See Rosenbach v. Six Flags Entertainment Corp.
As with the proposed BPA in New York, Maryland’s Act is not yet the law. However, if enacted, private entities covered by the Act should promptly take steps to comply. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric identifiers or biometric information against the requirements under the Act. Biometric identifiers under the Act include data of an individual generated by automatic measurements of that individual’s biological characteristics such as fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individual’s identity. In this respect, the Act would be broader than the BIPA – in Illinois, a biometric identifier is limited to a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. There are, however, exclusions from biometric identifiers under the Act, such as writing samples, photographs, demographic data, physical descriptions (such as height and weight), and protected health information covered by HIPAA.
In the event private entities find technical or procedural gaps in compliance – such as not having a retention and destruction policy concerning such information or obtaining consent to provide biometric information to a third party – they should quickly remedy those gaps.
It is unclear whether courts in Maryland will interpret the availability of remedies under the Act, if enacted, the same as the Illinois Supreme Court in Rosenbach. However, if they do, the duties imposed on private entities subject to the law regarding the possession, retention, disclosure, safeguarding, and destruction of a person’s biometric identifiers or biometric information will define the statutory rights of persons protected by the law. Accordingly, when a private entity fails to comply with one of the Act’s requirements, that violation could constitute an invasion, impairment, or denial of a right under the Act resulting in the person being “aggrieved” and entitled to seek recovery.