Biometric privacy laws are a growing trend, with at least 15 proposals emerging across 11 states in the US since 2023. These laws are designed to regulate the collection, handling, protection, use, and dissemination of biometric information such as retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry. While there is no nationwide biometric privacy law in the US, several states have enacted specific laws to address this issue, including Illinois, Texas, Washington, and New York City. These laws aim to protect individuals' biometric data from being used without their consent and ensure that organizations handling such data have appropriate security measures in place. Non-compliance with these laws can result in significant monetary exposure and liability for businesses.
Characteristics | Values |
---|---|
Number of states with biometric privacy laws | 4 |
States with biometric privacy laws | Illinois, Texas, Washington, New York City |
Dominant statute in the biometric privacy legal landscape | Illinois's Biometric Information Privacy Act (BIPA) |
Number of states with biometric privacy law proposals in 2023 | 11 |
States with biometric privacy law proposals in 2023 | Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, and Washington |
Number of states with comprehensive state privacy laws that regulate biometric information as "sensitive" information | 5 |
States with comprehensive state privacy laws that regulate biometric information as "sensitive" information | California, Colorado, Virginia, Connecticut, and Utah |
States and municipalities that restrict the use of specific types of biometric data | Colorado, New York City |
States with specific biometric privacy laws | Illinois, Texas, Washington |
City with a specific biometric privacy law | New York City |
States with consumer privacy statutes that address the use of biometric data | California, Virginia, Colorado, Connecticut, Utah, Delaware, Texas, Oregon, Montana, Iowa, Florida |
States expected to have consumer privacy statutes coming into effect in 2024 and 2025 | Delaware, Texas, Oregon, Montana, Iowa, Florida |
What You'll Learn
What is biometric data?
Biometric data is a set of unique biological characteristics that can be used to identify individuals. It is often used as an advanced layer of security for personal and enterprise systems.
Biometric data can be broken down into three types: biological, morphological, and behavioural. Biological biometrics uses traits at a genetic and molecular level, such as DNA or blood. Morphological biometrics involves the structure of the body, such as fingerprints, eyes, and facial shape. Behavioural biometrics are based on patterns unique to each person, such as gait, voice, or typing patterns.
Biometric data is always unique to the individual. Even identical twins have different fingerprints. This makes it a very secure method of identification. Biometric data is also permanent and cannot be changed, stolen, or forgotten.
Biometric data is used in many sectors, including finance, social media, education, and healthcare. It is also used by government bodies, such as the Department of Homeland Security in the US, to detect and prevent illegal entry into the country, and by law enforcement agencies to identify criminals.
While there are no nationwide biometric privacy laws in the US, some states have passed laws to govern the use of biometric data. For example, Illinois' Biometric Information Privacy Act (BIPA) provides a private right of legal action for entities that break the law. There are also federal laws that cover biometric data, such as the Stored Communications Act (SCA) and the Gramm–Leach–Bliley Act (GLBA).
Lemon Law and Leased Vehicles: What You Need to Know
You may want to see also
What are the federal laws on biometric privacy?
While there are no specific federal laws on biometric privacy in the US, there are a host of federal laws that cover biometric data. These laws will inform your decisions around cybersecurity, privacy, and consent.
The Stored Communications Act (SCA)
The SCA was enacted as part of the Electronic Communications Privacy Act of 1986. It protects the privacy of electronic communications while they are being stored. This could include emails held on a server or subscribers to email services. The act demands that precautions are taken to protect these communications when stored.
The Gramm–Leach–Bliley Act (GLBA)
The GLBA, also known as the Financial Services Modernization Act, governs the way financial institutions handle customer data. Biometrics are an incredibly effective way to verify payments, so they play a vital part in the security arrangements of financial institutions. The GLBA covers “personally identifiable information”, which includes most biometrics. The act requires financial institutions to explain how they use this data and protect it from cybersecurity threats.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was introduced in 1996 to improve health care coverage and delivery for Americans. It is now a regime of national standards for the protection of patient health data. The HIPAA Privacy Rule demands that organizations handling medical records put safeguards in place. The kinds of organizations covered by HIPAA are healthcare providers and insurers. Biometrics fall under the category of Protected Health Information (PHI). Under the HIPAA Security Rule, organizations must protect PHI to avoid data breaches.
The Children's Online Privacy Protection Act (COPPA)
COPPA imposes requirements on online services aimed at children under 13 years old and covers online entities that knowingly collect data from children. Facial biometric data is likely covered by COPPA. Companies that wish to use this data must do so fairly and openly, gathering it only after informing users.
Meeting Laws and Nonprofits: Understanding Compliance Requirements
You may want to see also
What are the state laws on biometric privacy?
The enactment of biometric privacy laws is a growing trend across the US. While there are no federal laws that specifically cover biometrics, there are a host of federal laws that apply to the use of biometrics, including the Stored Communications Act (SCA) and the Gramm–Leach–Bliley Act (GLBA). In addition, some states have specific biometric privacy laws that provide protection for residents.
Illinois
Illinois was the first state to enact a biometric data privacy law in 2008. The Illinois Biometric Information Privacy Act (BIPA) requires entities that use and store biometric identifiers to comply with certain requirements and provides a private right of action for recovering statutory damages when they do not. BIPA specifies that:
> [b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.
BIPA also defines a “biometric identifier” as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry."
Texas
Texas has a broad biometric privacy law that prohibits the sale, lease, or disclosure of biometrics to a third party. In Texas, biometrics must have the same level of protection as any other private data.
Washington
Washington's H.B. 1493 requires organizations to provide notice to an individual to gather biometrics, obtain consent, and have a process to prevent the use of biometrics for commercial purposes. However, privacy advocates consider this weaker than BIPA or CUBI as it doesn't cover facial recognition data or voiceprints.
New York
New York City's Biometric Information Privacy Law, applicable to certain commercial establishments, provides a private right of action. It requires any "commercial establishment" that collects biometric information from "customers" to disclose the collection "by placing a clear and conspicuous sign near all of the commercial establishment's customer entrances." It also makes it unlawful to sell, lease, trade, share, exchange, or profit from the transaction of biometric identifier information.
Portland
Portland City Code, Title 34- Digital Justice, Chapters 34.10.010-34.10-050 prohibits the use of Facial Recognition Technologies in Places of Public Accommodation by Private Entities within the city boundaries. It provides for recovery of damages sustained as a result of the violation of $1,000 per day for each day of violation, whichever is greater.
California, Colorado, Connecticut, Utah, and Virginia
These states have passed comprehensive consumer privacy laws that, once in full effect, will expressly govern the processing of biometric information.
Animal Cruelty Laws: Do They Include Fish?
You may want to see also
What is the Illinois Biometric Information Privacy Act (BIPA)?
The Illinois Biometric Information Privacy Act (BIPA) is a comprehensive biometric privacy law that was enacted in 2008. BIPA establishes standards for how companies must handle Illinois consumers' biometric information. The law requires companies that collect, capture, or store biometric data to:
- Inform the person in writing about what data is being collected and why.
- Inform the person about the specific purpose and length of time the data will be collected, stored, and used.
- Obtain the person's written consent.
Biometric information includes retina or iris scans, fingerprints, voiceprints, hand scans, facial geometry, DNA, and other unique biological information.
BIPA prohibits companies from selling or profiting from consumers' biometric information. It also allows consumers to take legal action against companies that violate the law. This makes BIPA the most protective biometric privacy law in the United States.
The importance of BIPA is highlighted by the fact that biometric information, once compromised, cannot be changed, unlike other identifiers such as social security numbers. This leaves individuals at heightened risk for identity theft and other negative consequences.
Since its enactment, BIPA has faced several legal challenges and proposals to weaken its protections. However, the Illinois Supreme Court has upheld the law, recognizing the importance of individuals' control over their biometric data and their right to sue companies that unlawfully collect this information.
Understanding ADA Laws During Company Sales and Acquisitions
You may want to see also
What is the Texas Capture or Use of Biometric Identifiers Act (CUBI)?
The Texas Capture or Use of Biometric Identifiers Act (CUBI) is a law that regulates the capture, receipt, possession, sharing, and retention of biometric identifiers. The law defines a "biometric identifier" as a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.
Under CUBI, organisations are generally prohibited from capturing biometric identifiers for a commercial purpose unless they first provide notice and obtain consent from the individual. Any disclosures of biometric identifiers must be limited and must be done for specific purposes, such as completing a financial transaction or for law enforcement purposes.
Organisations must protect biometric identifiers with reasonable care and normally must destroy them within a reasonable time – no longer than one year after the purpose for collecting them ends. The Texas Attorney General has exclusive authority to enforce CUBI and can impose civil penalties of up to $25,000 for each violation.
The Texas Attorney General has recently filed cases against Facebook and Google for alleged violations of CUBI, alleging that their products capture biometric data without providing notice or obtaining consent.
Understanding Labor Laws: 1099 Employee Rights Explained
You may want to see also
Frequently asked questions
Biometric data refers to measurements related to a person's unique physical characteristics, including fingerprints, palm prints, voiceprints, facial, retinal, or iris scans.
No, there are currently no specific federal laws covering biometric privacy in the US. However, biometric data is addressed by a range of federal laws related to cybersecurity, privacy, and consent.
Illinois, Texas, and Washington have specific biometric privacy laws, while other states, such as California, Colorado, and Virginia, address biometric data within their consumer privacy statutes.
BIPA is a law that regulates the use of biometric identifiers and biometric information in Illinois. It requires entities to obtain informed consent from individuals before collecting their biometric data and prohibits the sale or profit from such data.
If you reside in a state with specific biometric privacy laws, such as Illinois, Texas, or Washington, you are directly protected by those laws. Additionally, some states include biometric data within their consumer privacy statutes, providing indirect protection.