As we discussed in Part I, the United States does not have a single, comprehensive federal law governing biometric data. However, we have recently seen an increasing number of states focusing on this issue. Part I summarized legislative activity on this issue in 2020. In this Part II, we discuss noteworthy legislation to monitor in 2021.
What to Expect in 2021
At least two states—New York and Maryland—have already introduced biometrics legislation in this first month of 2021.
New York – AB 27
On January 6, 2021, the New York Assembly introduced the Biometric Privacy Act (BPA), a New York state biometric law aimed at regulating businesses handling biometric data. BPA will prohibit businesses from collecting biometric identifiers or information without first receiving informed consent from the individual, prohibit profiting from the data, and will require a publicly available written retention and destruction policy. As proposed, the statute contains a private right of action; and if passed, it will permit consumers to sue businesses for improperly collecting and using their biometric data. The statute follows Illinois’s BIPA, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.
With bipartisan support by 16 Democrat and 7 Republican lawmakers, New York’s BPA may become the next biometrics law in 2021 with a private right of action.
Maryland – SB 16
On January 13, 2021, the Maryland Senate introduced Senate Bill 16, Biometric Identifiers and Biometric Information Privacy Act. It requires businesses in possession of biometric data, except data applying to its employees or used for internal operations, to develop a written public policy establishing a retention schedule and guidelines for the handling of the biometric data. The proposed statute would include requirements for storage, transmittal, and protection of biometric data, and limitations for profiting on the data. The statute mirrors the remedies under BIPA, and also allows recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.
Passage of this bill may prove to be more difficult, as the bill is sponsored by one Democratic lawmaker, albeit from the majority party in the Maryland Senate.
Without any federal statute governing the collection and use of biometric data, biometrics litigation will continue to develop, evolve, and rise based on individualized state statutes—as currently seen with Illinois’ BIPA, and being considered by numerous other states.
Although movement on the federal level for comprehensive data privacy has not gained significant momentum, the recent change in federal administrations may re-kindle the discussion. If so, let’s hope biometrics is part of the conversation.