Senators Jeff Merkley (D-Merkley) and Bernie Sanders (I-Vermont) recently introduced the National Biometric Information Privacy Act (NBIPA), which would require private entities to obtain consumers’ and employees’ written consent prior to collecting their biometric information and expand nationwide individuals’ access rights and rights to request additional information from businesses.  The bill also would grant a private right of action.  Unlike other proposals that focus on regulating the use and funding of biometric surveillance technology by government entities, the NBIPA regulates private entities’ use of biometrics.

The proposed measure would limit the collection of biometric identifiers or information.  Biometric identifiers are defined to include retina or iris scans, voiceprints, faceprints, fingerprints or palm prints, and “any other uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristic of an individual.”  Specifically, businesses would be prohibited from collecting biometric identifiers or information unless the business needs it (a) to provide a service to the specific consumer, or (b) “for another valid business purpose” specified in a required written policy.  This written policy must include a retention schedule and guidelines for destroying covered biometric data.  Private entities also generally would be prohibited from disclosing, selling, leasing, trading, using for advertising purposes, or otherwise profiting from a person’s biometric information or identifier unless they obtain a written release, the disclosure completes a financial transaction, or the disclosure is required by federal or local law.

Additionally, NBIPA borrows from the California Consumer Privacy Act by creating an individual’s “right to know” about the “personal information” collected about them.  The current bill as written does not define the term “personal information.” Upon a request from an individual, a business would be required to disclose the categories and specific pieces of personal information collected by the business, the categories of sources from which the business collected the personal information, the purposes for which the business uses the personal information, the categories of third parties with whom the business shares the personal information, and the categories of information that the business sells or discloses to third parties.

Potential penalties may be substantial.  Individuals would have the right to bring private suits against businesses that violate the law.  State Attorneys General would be authorized to bring actions on behalf of their states’ residents.  For negligent violations, penalties may range from $1,000 per violation and up (if the actual damage suffered by the plaintiff is greater).  For intentional or reckless violations, penalties would consist of up to $5,000 per violation plus actual damages suffered by the plaintiff.

This private right of action is particularly notable because the state law upon which some of the language appears to be based—the Illinois BIPA—has attracted a flood of class action lawsuits, most of which involve suits against employers utilizing biometric data for employee timekeeping.  The proposed NBIPA expressly covers employment-related data.

Introduction of this bill follows increased Congressional interest in regulating biometric surveillance and facial recognition technology.  In June, Senator Merkley, along with Senator Ed Markey (D-Massachusetts), Congresswoman Pramila Jayapal (D-Washington 7th District), and Congresswoman Ayanna Pressley (D-Massachusetts 7th District) introduced the Facial Recognition and Biometric Technology Moratorium Act, which would prohibit the use or funding of biometric and facial recognition technology by federal entities as well as provide a private right of action.  Earlier in the year, Senator Merkley also co-sponsored the Ethical Use of Facial Recognition Act with Senator Cory Booker (D-New Jersey), which would institute a similar moratorium and impose specific restrictions relating to the use of facial recognition technology in cameras.

Print:
EmailTweetLikeLinkedIn
Photo of Kurt Wimmer Kurt Wimmer

Kurt Wimmer is a partner concentrating in privacy, data protection and technology law.  He advises national and multinational companies on privacy, data security and technology issues, particularly in connection with online and mobile media, targeted advertising, and monetization strategies.  Mr. Wimmer is rated…

Kurt Wimmer is a partner concentrating in privacy, data protection and technology law.  He advises national and multinational companies on privacy, data security and technology issues, particularly in connection with online and mobile media, targeted advertising, and monetization strategies.  Mr. Wimmer is rated in the first tier by Legal 500, designated as a national leader in Chambers USA, and is included in Best Lawyers in America in four categories.  He represents companies and associations on public policy matters before the FTC, FCC, Congress and state attorneys general, as well as in privacy assessments and policies, strategic content ventures, copyright protection and strategy, content liability advice, and international matters.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.