U.S. Biometrics Laws Part I: An Overview of 2020

Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses.  From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.

Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws.  As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person.  As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field.  Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.

The United States does not have a single, comprehensive federal law governing biometric data.  Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data.  In Part I, we summarize some of the legislative activity on biometric laws from 2020.  We will describe other noteworthy legislation to monitor for 2021 in Part II.

What happened in 2020?

The Illinois Biometric Information Privacy Act (BIPA), passed in 2008, remains the leading statute for biometric litigation.  Under BIPA, businesses handling biometric data must obtain informed consent before collecting such data, limit disclosure of that data, refrain from profiting from the data, provide data retention protections, and store the data using a reasonable standard of care in the businesses’ industry and consistent with businesses’ handling of other sensitive information.  BIPA carries a private right of action for harmed individuals, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.  Recent cases interpreting the statute have paved the way for an increasing number of lawsuits.

States considering biometric legislation look to BIPA as a model for their own states’ potential enactment of biometrics privacy laws.  Many states have proposed legislation mirroring BIPA’s compliance requirements and providing a private right of action by consumers. Other states have proposed laws that consider biometrics in connection with broader data privacy and data breach requirements to be only enforceable by the state’s attorney general (e.g., Texas).  In either scenario, businesses that even unknowingly violate biometrics statutes like BIPA stand to face staggeringly high damages exposure where large classes are involved.  See, e.g., In re Facebook Biometric Information Privacy Litigation, No. 3:15-cv-03747-JD (N.D. Cal. Aug. 19, 2020) (granting preliminary approval of class action settlement totaling $650,000,000).

In 2020, Arizona, Maryland, New Hampshire, South Carolina, and West Virginia introduced but did not successfully pass biometrics legislation.  Some states, such as Idaho, South Dakota, and Louisiana, introduced specific facial recognition legislation, but refrained from proposing comprehensive biometrics legislation.  Moreover, other states, including Rhode Island, Virginia, Washington, and Wisconsin introduced biometrics components connected to broader data privacy statutes, but also stopped short of comprehensive biometrics legislation.  We limit our summary below to the states that introduced specific biometrics legislation in 2020.

In Part II we discuss what to expect in 2021.