A dozen states have introduced privacy legislation this year that would rein in companies’ unchecked ability to collect and sell consumers’ biometric data such as fingerprints and images of their faces. The bills are part of a wave of state-level privacy legislation that includes more than a dozen children’s online privacy bills as well as a growing number of bills modeled after the comprehensive privacy legislation that Congress introduced last year.
Concerns over the collection and sale of biometric data have flared in recent years in light of the increased use of facial recognition technology, fingerprinting and iris scans. The rapid adoption of the technology has alarmed policymakers and security experts due to the uniquely sensitive nature of biometric data which, unlike a password or account number, is impossible to change if stolen or misused.
Congressional efforts to address the concerns about online privacy have largely failed. Last year, federal privacy legislation that covered biometric data passed out of a House committee but floundered on the floor and its Senate companion didn’t even reach a vote. States, tired of waiting around, have increasingly filled in the gaps with their own laws.
State laws regarding biometric privacy aren’t a new concept. Illinois passed the nation’s first state-level biometric information privacy act (BIPA) in 2008. Texas followed with its own legislation a year later and Washington state passed a biometric privacy act in 2017.
However, the Illinois law has quickly become the go-to model for the new crop of states trying to shore up biometric privacy legislation. Advocates for new biometric privacy laws say that it’s because BIPA is so successful.
One of the biggest examples that advocates point to is the settlement last year of a lawsuit by the ACLU against Clearview AI that was brought under BIPA. As a result, Clearview AI agreed to a ban prohibiting it from selling its controversial facial recognition database to most private businesses and entities nationwide. The ACLU was able to bring the lawsuit in Illinois because the state’s biometric privacy legislation allows for a private right of action, or the ability for an individual to privately sue for violations under public laws.
That private right of action is “critically important” and sets Illinois’ law apart from Washington and Texas, says Chad Marlow, senior policy counsel at the ACLU. “The biometric protection laws in Texas and Washington state are relatively good but because they lack a private right of action they’re extraordinarily under enforced,” said Marlow. “The Attorney General’s offices either don’t have the time, money, resources or inclination to proactively be enforcing this law.”
The ACLU is now trying to get more states to follow Illinois’ lead and began shopping its own model biometric privacy legislation late last year. The legislation largely copies BIPA with a few updates, such as clarifying that individuals don’t need to prove actual damages to sue. The model bill sets damages at a minimum of $1,000 for negligent violations of the law and a minimum of $5,000 for intentional violations of the law.
The campaign has been successful so far. Marlow says that, according to the ACLU’s tracking, states have introduced 17 biometric privacy bills so far this year, 11 of which follow the ACLU’s blueprint. The interest is largely bipartisan. Republicans have introduced biometric privacy legislation in four states while Democrats have pushed the effort in eight states.
The twelve states to introduce biometric privacy legislation are: Arizona, Hawaii, Maryland Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, Washington and Kentucky.
The law in Illinois has drawn industry detractors who claim the legislation is overly broad and leads to frivolous lawsuits. There have been more than 2,000 lawsuits filed under BIPA and tech companies have often been on the losing end. Facebook reached a $650 million settlement over claims brought under the law that the social media giant’s “tag suggestions” feature involved collecting and storing face scans without user consent. Facebook denied wrongdoing and ultimately scrapped the project. Google reached a $100 million settlement over alleged violations of the law.
Tech companies aren’t the only entities affected by the legislation. The collection of employee biometric data by healthcare providers has also been a long-standing source of litigation, so much so that some lawmakers have attempted to exempt healthcare employers. Questions like the statute of limitations under BIPA have been left up to Illinois courts to interpret.
“There are still many open questions with BIPA,” said Anna Mouw Thompson, counsel at law firm Perkins Coie. “There are close to 2,000 lawsuits at this point and yet so few decisions on the merits of what various provisions under BIPA mean. I think there are still a lot more questions than answers when it comes to BIPA.”
Finding a balance between strong privacy protections and not hindering functions such as identity authentication is one that states will have to grapple with in designing new legislation, some experts say.
“It’s trying to figure out what is the correct balance between, okay, you want to make sure you have a strong biometric data privacy law, but not one that’s going to make it really difficult to use that kind of data for security purposes,” said Tatiana Rice, senior counsel at the Future of Privacy Forum. “It’s really important to develop the contours of the law intentionally in a way that allows you to mitigate the largest risks and not have unnecessary obligations that hinder everyday life.”
Maryland’s Biometric Data Privacy Act, introduced by Delegate Sara Love, tries to strike this balance. Love’s bill requires companies to get consumer consent before collecting biometric data and creates a retention schedule for how often that data should be purged. The bill also prohibits entities from selling, leasing or trading biometric data.
“Nobody is trying to stop companies from using biometric data, we’re saying be responsible with how you use it,” Love told CyberScoop.
The bill passed out of Maryland’s House of Delegates last year and stalled in the Senate, but Love was optimistic about the legislation’s chances this year. She said that both lawmakers and citizens have gotten wiser about the fact that companies are collecting biometric data without any guardrails and are concerned.
The Maryland bill takes a narrower approach to the right to private action than the model being pushed by the ACLU. The bill would give consumers a limited private right of action to sue if their data is sold in violation of the law. Other violations of the law are to be enforced by the Maryland Attorney General.
The middle-of-the-road approach hasn’t satisfied industry critics. At a hearing last week for Maryland’s Biometric Data Privacy Act, several trade groups leading the push against BIPA copies including TechNet, Computer and Communication Industry Association and the State Privacy & Security Coalition testified against the bill, claiming it would stifle innovation and make consumers less safe by making it harder for companies to use identity authentication technologies.
Caitriona Fitzgerald, deputy director at the Electronic Privacy Information Center, who testified in favor of Maryland’s Biometric Data Privacy Act, told CyberScoop that nothing about BIPA or its emulators prevents companies from using biometric technology. “They could still do it there just has to be that step of suitably informing the individual about the biometric collection and making sure that they’re getting their consent,” said Fitzgerald.
The new crop of biometric privacy laws could pose new considerations for Congress, where House lawmakers are on track to reintroduce last year’s federal privacy legislation. The bill introduced a private right of action on a two-year delay bill also carved out a rare exception from preemption for Illinois’ BIPA. It’s not clear how federal lawmakers would offer similar carveouts to other states with BIPA-like laws.
“I think it raises the bar for what you need to see federal privacy law,” Fitzgerald said. “If Congress is considering pre-empting state laws, it has to be stronger than those state laws.”