September 22, 2021

Volume XI, Number 265

Advertisement

September 21, 2021

Subscribe to Latest Legal News and Analysis

September 20, 2021

Subscribe to Latest Legal News and Analysis

Maryland Joins New York with a BIPA-like Biometric Privacy Bill

On January 13, House Delegate Sara Love Introduced the “Biometric Identifiers and Biometric Information Privacy Act” (the “Act”) substantially modeled after the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (the “BIPA”). Enacted in 2008, the Illinois BIPA only recently triggered an avalanche of class actions in Illinois, spurring other legislative activity, including in New York. If enacted, Maryland’s Act would become effective January 1, 2022.

Just like the BIPA and the proposed law in the Empire State, the Act would establish rules for “private entities” possessing “biometric identifiers” and “biometric information” of a person, such as:

  • Development of a publicly available policy establishing retention and destruction guidelines,

  • Mandated reasonable safeguards relating to the storage, transmission, and disclosure of such information in a manner at least as protective as for “confidential and sensitive information,” such as social security numbers and account numbers,

  • Prohibiting private entities from profiting from the information, and

  • Limited right to disclose without consent.

Unlike the BIPA, the Maryland bill would clarify the policy need not be publicly available when it applies only to employees and is used only for internal operations.

Most important, the Act also would create a private right of action for persons “aggrieved” by violations of the Act, using language similar to the BIPA, permitting persons to recover the greater of (i) statutory damages of at least $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, and (ii) actual damages.

We know the Illinois Supreme Court decided that, in general, persons bringing suit under the BIPA do not need to allege actual injury or adverse effect, beyond a violation of their rights under the BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the BIPA. See Rosenbach v. Six Flags Entertainment Corp.

As with the proposed BPA in New York, Maryland’s Act is not yet the law. However, if enacted, private entities covered by the Act should promptly take steps to comply. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric identifiers or biometric information against the requirements under the Act. Biometric identifiers under the Act include data of an individual generated by automatic measurements of that individual’s biological characteristics such as fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individual’s identity. In this respect, the Act would be broader than the BIPA – in Illinois, a biometric identifier is limited to a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. There are, however, exclusions from biometric identifiers under the Act, such as writing samples, photographs, demographic data, physical descriptions (such as height and weight), and protected health information covered by HIPAA.

In the event private entities find technical or procedural gaps in compliance – such as not having a retention and destruction policy concerning such information or obtaining consent to provide biometric information to a third party – they should quickly remedy those gaps.

It is unclear whether courts in Maryland will interpret the availability of remedies under the Act, if enacted, the same as the Illinois Supreme Court in Rosenbach. However, if they do, the duties imposed on private entities subject to the law regarding the possession, retention, disclosure, safeguarding, and destruction of a person’s biometric identifiers or biometric information will define the statutory rights of persons protected by the law. Accordingly, when a private entity fails to comply with one of the Act’s requirements, that violation could constitute an invasion, impairment, or denial of a right under the Act resulting in the person being “aggrieved” and entitled to seek recovery.

 

Jackson Lewis P.C. © 2021National Law Review, Volume XI, Number 52
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Advertisement
Advertisement
Advertisement