Newly proposed Federal Biometrics Privacy Act mirrors controversial - and expensive - Illinois statute
On August 4, 2020, Senators Jeff Merkley and Bernie Sanders introduced the National Biometric Information Privacy Act (the “National Act”), a data privacy law modeled after the Illinois Biometric Information Privacy Act (the “Illinois Act”). As Illinois’s experience shows, the proposed act has potential to give rise to a tidal wave of expensive class action lawsuits against all manner of businesses throughout the country. Companies should carefully monitor the progress of the National Act and analyze the impact it would have on their businesses.
Like the Illinois Act, the proposed National Act would regulate the use, retention, and disclosure of “biometric identifiers” by businesses. It broadly defines “biometric identifiers” to include (i) retina or iris scans; (ii) voiceprints; (iii) faceprints (including faceprints derived from photographs); (iv) fingerprints or palm prints; and (v) any other uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristics of an individual. If enacted, the proposed National Act would impose nearly identical obligations as the Illinois Act. Among other things, it would require businesses to:
- develop and maintain a publicly available written policy establishing a retention schedule and guidelines for permanently destroying any biometric identifiers;
- collect biometric identifiers only when providing a service to the person or customer, or another valid business reason specified in the written privacy policy;
- before collecting any biometric identifiers, obtain a written release that identifies the purpose and length of the collection, storage, or use;
- before disclosing any biometric identifiers, obtain a written release specifying the data that will be disclosed; the reason for the disclosure; and the recipients of the data; and
- protect any biometric identifiers using the reasonable standard of care within the business’ industry.
The National Act also incorporates elements of the California Consumer Privacy Act (“CCPA”). Like the CCPA, the National Act would give individuals a “right to know” what businesses are doing with their personal information. It also would require businesses to disclose the “personal information” they have collected within the preceding 12-month period upon request, although it does not define “personal information” or state whether such information is limited to biometric identifiers. These required disclosures include: (1) the categories of personal information; (2) specific pieces of personal information; (3) categories of sources from which the business collected personal information; (4) the purposes for which the business uses the personal information; (5) categories of third parties with whom the business shares the personal information; and (6) categories of information that the business sells or discloses to third parties.
Perhaps most alarming to businesses is that, like the Illinois Act, the National Act would create a private right of action. The National Act provides that any individual aggrieved by a negligent violation may bring a civil lawsuit and recover $1,000 per violation in liquidated damages or actual damages, whichever is greater, while any individual aggrieved by an intentional or reckless violation may recover actual damages plus punitive damages not to exceed $5,000 per violation. Aggrieved individuals would also be entitled to recover reasonable attorneys’ fees and costs of litigation. The National Act also would be enforceable by state attorneys general.
This is a troubling development for businesses because recent years have seen a proliferation of claims against them under the Illinois Act. Indeed, with the rapid expansion and deployment of biometric-based technology, Illinois courts have been inundated with an unprecedented number of class action lawsuits for alleged violations of the state statute. This has cost companies that do business in the state and their insurers millions in legal fees – and far more in settlements.
The move toward federal regulation of biometric identifiers would represent a significantly increased burden on businesses that rely on the data for entirely legitimate purposes such as employee timekeeping and providing customer service. Although it is too early to say whether the National Act will gain additional support in Congress, its introduction may generate new discussion about the role of the federal government in regulating biometric data. We will continue to monitor this bill and other legal developments regulating the collection and use of biometric information.
For additional information or questions regarding this legislation and the potential impact on your business, please contact the attorneys below.