Biometric Privacy Law Update

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

Critical industry insight and formidable strength across key practices.

Share and Download

Since the start of the 2023 legislative session, at least 15 biometric privacy law proposals have emerged across 11 states (including Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, and Washington). Broadly speaking, these bills would impose new requirements on companies’ collection, handling, protection, use, and dissemination of biometric information (such as retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry). Many of these bills would greatly increase the compliance risk and liability exposure of companies that handle biometric information and are therefore worth tracking closely.

Currently, the collection and use of biometric information is governed by a patchwork of legal frameworks. For example, comprehensive state privacy laws in California, Colorado, Virginia, Connecticut, and Utah regulate biometric information as a form of “sensitive” information. Meanwhile, some states and municipalities have elected to restrict the use of specific types of biometric data in narrower use cases, such as Colorado’s 2022 law restricting the use of facial recognition technology by state and local government agencies.

The dominant statute in the biometric privacy legal landscape, however, is Illinois’s Biometric Information Privacy Act (BIPA). Though Washington and Texas have their own state biometric privacy laws in place, Illinois’s BIPA is the only such law that is enforceable through a private right of action. That private right of action can generate substantial liability for companies, ranging from $1,000 per violation for negligent violations to $5,000 per violation for intentional or reckless violations (or, in either case, actual damages). Indeed, in October 2022, a federal court in the Northern District of Illinois awarded a plaintiff class $228 million in damages in a BIPA suit against BNSF Railway. Moreover, the Illinois Supreme Court has recently handed down two decisions that expand the scope of BIPA legal exposure even further. Earlier this month, on February 2, in Tims v. Black Horse Carriers, Inc., the Court held that individuals have five years (rather than one) after an alleged BIPA violation to bring claims under the statute’s private right of action. And just last week, on February 17, the Court held in Cothron v. White Castle System, Inc. that “a separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of [the Act].”

The majority of the 2023 state biometric privacy bills that have been introduced to date are modeled on Illinois’s BIPA, including that statute’s private right of action and damages provisions. Thus, these bills have the potential, like BIPA, to greatly increase the compliance risk and liability exposure of companies that collect and process biometric information. Such companies (particularly those that handle the biometric information of residents of Illinois and any other states considering BIPA-like legislation) should ensure that their data handling and processing procedures are aligned with the requirements of BIPA and BIPA-like proposed legislation.

In this post, we summarize key takeaways from the state biometric privacy bills that have been introduced in the 2023 legislative session, then provide a detailed breakdown of each bill’s provisions. We are happy to answer any questions you may have on these issues.

KEY TRENDS AND HIGHLIGHTS

1. Standalone Bills: Most of these bills are standalone bills focused solely on biometric privacy issues. However, in four states (Maryland, New York, Vermont, and Washington), biometrics-specific provisions are embedded into broader comprehensive privacy law proposals.

2. Common Elements: Most of the bills closely mirror the key provisions of Illinois’s Biometric Information Privacy Act (BIPA). These include:

3. Applicability: Most of the bills apply only to private sector entities. New York’s Digital Fairness Act and Washington’s People’s Privacy Act are the two exceptions, applying to both private and public-sector organizations.

4. Current Status: Most of the bills remain in the early stages of the legislative process, with many having only, at most, been referred to committees. Three bills have made more notable progress:

2023 PROPOSALS

Arizona

2. Current Status: As of February 23, 2023, the bill had been passed by the Transportation and Technology Committee (2/6/23) and approved by the Rules Committee (2/13/23).

3. Key Provisions:

Hawaii

1. Bill Title: Hawaii Biometric Information Privacy Act (SB 1085)

2. Current Status: As of February 23, 2023, the bill had been deferred by the Labor and Technology Committee (2/10/23).

3. Key Provisions:

Maryland

1. Bill Title: Biometric Data Privacy Act (HB 33/SB 169)

2. Current Status: As of February 23, 2023, HB 33 had been subject to a hearing in the Economic Matters Committee (2/1/23) and SB 169 had been subject to a hearing in the Finance Committee (1/21/23).

3. Key Provisions:

Maryland

1. Bill Title: Online and Biometric Data Privacy Act (SB 698/HB 807)

2. Current Status: As of February 23, 2023, SB 698 has a Finance Committee hearing scheduled for 3/8/23 (2/7/23), and HB 807 had a hearing in the Economic Matters Committee on 2/22/23.

3. Key Provisions:

Massachusetts

2. Current Status: As of February 23, 2023, the bill had been filed on the House docket (1/20/23).

3. Key Provisions:

Massachusetts

1. Bill Title: Biometric Information Privacy Act (SD 2218)

2. Current Status: As of February 23, 2023, the bill had been filed on the Senate docket (1/20/23).

3. Key Provisions:

Minnesota

2. Current Status: As of February 23, 2023, the bill had been referred to the Commerce and Consumer Protection Committee (1/30/23).

3. Key Provisions:

Mississippi

1. Bill Title: Biometric Identifiers Privacy Act (HB 467)

2. Current Status: This bill died in the Judiciary Committee on January 31, 2023.

3. Key Provisions:

Missouri

1. Bill Title: Biometric Information Privacy Act (HB 1047)

2. Current Status: As of February 23, 2023, the bill had been read for the second time in the House (2/7/23).

3. Key Provisions:

New York

1. Bill Title: Biometric Privacy Act (A. 1362/S. 4457)

2. Current Status: As of February 23, 2023, A. 1362 had been referred to the Assembly Consumer Affairs and Protection Committee (1/17/23), and S. 4457 had been referred to the Senate Consumer Affairs and Protection Committee (2/9/23).

3. Key Provisions:

New York

2. Current Status: As of February 23, 2023, the bill had been referred to the Consumer Affairs and Protection Committee (1/20/23).

3. Key Provisions:

New York

1. Bill Title: Digital Fairness Act (S. 2277/A. 3308)

2. Current Status: As of February 23, 2023, S. 2277 had been referred to the Internet and Technology Committee (1/19/23), and A. 3308 had been referred to the Consumer Affairs and Protection Committee (2/2/23).

3. Key Provisions:

Tennessee

1. Bill Title: Consumer Biometric Data Protection Act (SB 339/HB 932)

2. Current Status: As of February 23, 2023, SB 339 had been referred to the Commerce and Labor Committee (1/25/23), and HB 932 had been assigned to the Banking and Consumer Affairs Subcommittee of the Commerce Committee (2/7/23).

3. Key Provisions:

Vermont

2. Current Status: As of February 23, 2023, the bill had been referred to the Committee on Commerce and Economic Development (1/26/23).

3. Key Provisions:

Washington

1. Bill Title: People’s Privacy Act (HB 1616/SB 5643)

2. Current Status: As of February 23, 2023, HB 1616 had been referred to the Civil Rights and Judiciary Committee (1/26/23), and SB 5643 had been referred to the Environment, Energy, and Technology Committee (1/31/23).

3. Key Provisions: