The days of only seeing biometric techniques in spy films are well behind us. A simple thumbprint can open a phone. Systems like Alexa can recognize your voice and play your favorite music. Some banks even allow customers to make payments by using voice command and fingerprint recognition.
In 2008, Illinois became the first state to enact a comprehensive law concerning biometric information. The Illinois Biometric Information Privacy Act regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric information. The legislation requires a private entity in possession of biometric identifiers or biometric information to develop a written policy and make it available to the public. The legislation further exempts the sale, lease, or trade of biometric identifiers or biometric information. The legislation sent shockwaves through the privacy world by creating a private right of action. Under the Illinois law, if a violating entity acts negligently, the prevailing party can recover liquidated damages of $1,000 or actual damages, whichever is greater. If a violating entity acts intentionally or recklessly, the prevailing party can recover liquidated damages of $5,000 or actual damages, whichever is greater. The prevailing party is also entitled to reasonable attorneys’ fees and costs, other litigation expenses, and an injunction.
On the heels of the groundbreaking Illinois law, lawmakers in Maryland, South Carolina, Virginia, and New York have proposed legislation seeking to regulate how companies collect and handle biometric information. All of these states have followed in the footsteps of Illinois by proposing a private right of action. But, as summarized below, while the proposed penalties in some states mirror or are similar to those in Illinois, other states have significantly increased the potential penalties.
The proposed legislation allows for a private right of action. Similar to the Illinois law, the prevailing party can recover $1,000, or actual damages against a negligent party, and $5,000, or actual damages against an entity that acted intentionally or recklessly. The prevailing party can also recover attorneys’ fees and costs, including expert witness fees and other litigation expenses. The party may also obtain an injunction.
Unlike the Illinois law, the Maryland legislation does not create an absolute requirement for a private entity to make a publicly available written policy. An exemption may apply if the policy only relates to employees of the private entity and is used solely for internal company operations.
The proposed legislation in South Carolina is substantially broader than the Illinois law. Like in Illinois, the prevailing party can recover $1,000 or actual damages against a negligent entity. The party is also entitled to attorneys’ fees and costs and an injunction. However, if a business intentionally or recklessly violates a provision of the statute, then the floor for recovery increases to $10,000. Moreover, a business that fails to notify consumers of a breach of security within 72 hours is subject to a fine of up to $5,000 for each consumer that was not notified.
Unlike in Illinois, consumers will have a right to know the categories and specific pieces of information collected. The proposed South Carolina legislation also allows businesses to sell biometric information, which is a substantial departure from the law in Illinois. However, consumers may request that a business delete the biometric information or discontinue selling the information. The proposed legislation is similar to the California Consumer Privacy Act in that it requires a business to provide a link on its website for consumers to easily opt-out of the sale of their biometric information and it allows businesses to offer financial incentives for the collection, sale, or deletion of biometric information.
The proposed legislation in Virginia also imposes higher damages. If the legislation passes, an employer who violates the statute would be subject to a civil penalty of up to $25,000 for each violation. However, the statute only applies to employees and employers.
The proposed New York legislation is similar to the Illinois act. The legislation would allow a prevailing party to recover liquidated damages of $1,000 or actual damages against an entity that is found negligent. If an entity acts intentionally or recklessly, the baseline award increases to $5,000. The prevailing party can also recover attorneys’ fees and costs and obtain an injunction.
To recap, businesses found in violation of the biometric laws described above could be subject to pay a minimum of $1,000-$25,000 per private right of action. Considering the magnitude of this risk, businesses should continue to stay apprised of new legislative developments in this area of the law.
For more information on this issue and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog, Online and On Point.