Senators Jeff Merkley (D-Merkley) and Bernie Sanders (I-Vermont) recently introduced the National Biometric Information Privacy Act (NBIPA), which would require private entities to obtain consumers’ and employees’ written consent prior to collecting their biometric information and expand nationwide individuals’ access rights and rights to request additional information from businesses.  The bill also would grant a private right of action.  Unlike other proposals that focus on regulating the use and funding of biometric surveillance technology by government entities, the NBIPA regulates private entities’ use of biometrics.

The proposed measure would limit the collection of biometric identifiers or information.  Biometric identifiers are defined to include retina or iris scans, voiceprints, faceprints, fingerprints or palm prints, and “any other uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristic of an individual.”  Specifically, businesses would be prohibited from collecting biometric identifiers or information unless the business needs it (a) to provide a service to the specific consumer, or (b) “for another valid business purpose” specified in a required written policy.  This written policy must include a retention schedule and guidelines for destroying covered biometric data.  Private entities also generally would be prohibited from disclosing, selling, leasing, trading, using for advertising purposes, or otherwise profiting from a person’s biometric information or identifier unless they obtain a written release, the disclosure completes a financial transaction, or the disclosure is required by federal or local law.

Additionally, NBIPA borrows from the California Consumer Privacy Act by creating an individual’s “right to know” about the “personal information” collected about them.  The current bill as written does not define the term “personal information.” Upon a request from an individual, a business would be required to disclose the categories and specific pieces of personal information collected by the business, the categories of sources from which the business collected the personal information, the purposes for which the business uses the personal information, the categories of third parties with whom the business shares the personal information, and the categories of information that the business sells or discloses to third parties.

Potential penalties may be substantial.  Individuals would have the right to bring private suits against businesses that violate the law.  State Attorneys General would be authorized to bring actions on behalf of their states’ residents.  For negligent violations, penalties may range from $1,000 per violation and up (if the actual damage suffered by the plaintiff is greater).  For intentional or reckless violations, penalties would consist of up to $5,000 per violation plus actual damages suffered by the plaintiff.

This private right of action is particularly notable because the state law upon which some of the language appears to be based—the Illinois BIPA—has attracted a flood of class action lawsuits, most of which involve suits against employers utilizing biometric data for employee timekeeping.  The proposed NBIPA expressly covers employment-related data.

Introduction of this bill follows increased Congressional interest in regulating biometric surveillance and facial recognition technology.  In June, Senator Merkley, along with Senator Ed Markey (D-Massachusetts), Congresswoman Pramila Jayapal (D-Washington 7th District), and Congresswoman Ayanna Pressley (D-Massachusetts 7th District) introduced the Facial Recognition and Biometric Technology Moratorium Act, which would prohibit the use or funding of biometric and facial recognition technology by federal entities as well as provide a private right of action.  Earlier in the year, Senator Merkley also co-sponsored the Ethical Use of Facial Recognition Act with Senator Cory Booker (D-New Jersey), which would institute a similar moratorium and impose specific restrictions relating to the use of facial recognition technology in cameras.

Tags: Biometrics, BIPA, Data Subject Rights, U.S. Congress
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less