In early January, legislators in New York and South Carolina introduced biometric privacy bills that would restrict private entities’ use of biometric information and, of particular note, provide consumers with a private right of action. If enacted, New York and South Carolina would join Illinois, Texas, and Washington in specifically addressing biometric privacy at the state level (although the latter two do not provide a private right of action).
New York’s Biometric Privacy Act
Introduced on January 6, New York’s proposed Biometric Privacy Act (BPA) is nearly identical to Illinois’ Biometric Information Privacy Act (BIPA):
- Biometric identifiers are defined as a retina or iris scan, fingerprint, voiceprint, or scans of hand or face geometry, and biometric information means information in any form that is based on a biometric identifier used to identify an individual.
- Private entities in possession of biometric identifiers or biometric information are prohibited from selling, leasing, trading, or profiting from a person’s biometric identifier or information.
- Private entities are prohibited from disclosing biometric identifiers or information except for in enumerated circumstances, such as with an individual’s written informed consent before collecting or otherwise obtaining the biometric identifiers or information.
- Private entities in possession of biometric identifiers or information must also develop written, publicly available policies that include the retention schedule and destruction guidelines for biometric identifiers and information.
- Private entities in violation of the BPA face a private right of action and statutory damages of $1,000 per each negligent violation and $5,000 per each intentional and reckless violation.
South Carolina’s Biometric Data Privacy Act
In contrast, the proposed South Carolina Biometric Data Privacy Act (SC BDPA), introduced on January 12, differs significantly from BIPA and the BPA:
- Biometric information is defined much more broadly to include “an individual’s physiological, biological, or behavioral characteristics, … that can be used, singly or in combination with each other or with other identifying data, to establish an individual’s identity.” This includes “biometric identifiers” as defined in BIPA and the BPA, but also “keystroke patterns of rhythms, gait patterns or rhythms, and sleep, health, exercise data, or geolocation data that contain identifying information.” Such a definition sweeps in many more practices than currently seen in BIPA litigation.
- Businesses are only required to delete such biometric information upon the subject’s request, as opposed to the requirement under BIPA (and potentially the BPA) to delete when the purpose has been fulfilled or within 3 years of the subject’s last interaction.
- Similarly, while BIPA (and the BPA) prohibits all sales of biometric information, the SC BDPA only prohibits the sale of such data upon the subject’s request to opt out of these sales.
As indicated by the sale opt-out right mentioned above, the SC BDPA’s consumer request mechanisms are similar to those provided to California residents under the California Consumer Privacy Act (CCPA):
- Businesses must provide consumers with a notice at or before the point of collection to inform consumers of the “specific and legitimate purpose for which the biometric information will be used.”
- Consumers are provided with access, deletion, and sale op-out rights with respect to any collected biometric information.
- Businesses must add a “clear and conspicuous” link titled “Do Not Sell My Biometric Information” to their website.
- Businesses must not discriminate against consumers for exercising any of these rights.
- Businesses must notify consumers of a security breach within 72 hours of becoming aware of the incident or face a $5,000 fine for each consumer who was not notified.
Like BIPA and the BPA, the SC BDPA includes a private right of action. Businesses in violation of the SC BDPA face statutory damages of up to $1,000 for negligent violations. For intentional or reckless violations, the statutory damages would be double that under BIPA – $10,000. This is a significant increase given the already crippling potential liability and settlement leverage that companies face under BIPA.
What’s Next
At the time of publication, the BPA and SC BPDA are still in committee. The introduction of these two bills marks the beginning of what we expect will be a particularly active year for state (and potentially federal) privacy legislation. Given the growing trend of state biometrics legislation, we expect this topic in particular to continue to receive a significant amount of attention. We may also see renewed consideration of previously introduced bills. For example, Virginia continues to consider a bill proposed last year to regulate employers’ collection, retention, and use of biometric data. As is always the case with privacy and security compliance, companies should resolve to stay ready for new data protection regimes while complying with those already on the books.