Senators Jeff Merkley (D-Merkley) and Bernie Sanders (I-Vermont) recently introduced the National Biometric Information Privacy Act (NBIPA), which would require private entities to obtain consumers’ and employees’ written consent prior to collecting their biometric information and expand nationwide individuals’ access rights and rights to request additional information from businesses.  The bill also would grant a private right of action.  Unlike other proposals that focus on regulating the use and funding of biometric surveillance technology by government entities, the NBIPA regulates private entities’ use of biometrics.

The proposed measure would limit the collection of biometric identifiers or information.  Biometric identifiers are defined to include retina or iris scans, voiceprints, faceprints, fingerprints or palm prints, and “any other uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristic of an individual.”  Specifically, businesses would be prohibited from collecting biometric identifiers or information unless the business needs it (a) to provide a service to the specific consumer, or (b) “for another valid business purpose” specified in a required written policy.  This written policy must include a retention schedule and guidelines for destroying covered biometric data.  Private entities also generally would be prohibited from disclosing, selling, leasing, trading, using for advertising purposes, or otherwise profiting from a person’s biometric information or identifier unless they obtain a written release, the disclosure completes a financial transaction, or the disclosure is required by federal or local law.

Additionally, NBIPA borrows from the California Consumer Privacy Act by creating an individual’s “right to know” about the “personal information” collected about them.  The current bill as written does not define the term “personal information.” Upon a request from an individual, a business would be required to disclose the categories and specific pieces of personal information collected by the business, the categories of sources from which the business collected the personal information, the purposes for which the business uses the personal information, the categories of third parties with whom the business shares the personal information, and the categories of information that the business sells or discloses to third parties.

Potential penalties may be substantial.  Individuals would have the right to bring private suits against businesses that violate the law.  State Attorneys General would be authorized to bring actions on behalf of their states’ residents.  For negligent violations, penalties may range from $1,000 per violation and up (if the actual damage suffered by the plaintiff is greater).  For intentional or reckless violations, penalties would consist of up to $5,000 per violation plus actual damages suffered by the plaintiff.

This private right of action is particularly notable because the state law upon which some of the language appears to be based—the Illinois BIPA—has attracted a flood of class action lawsuits, most of which involve suits against employers utilizing biometric data for employee timekeeping.  The proposed NBIPA expressly covers employment-related data.

Introduction of this bill follows increased Congressional interest in regulating biometric surveillance and facial recognition technology.  In June, Senator Merkley, along with Senator Ed Markey (D-Massachusetts), Congresswoman Pramila Jayapal (D-Washington 7th District), and Congresswoman Ayanna Pressley (D-Massachusetts 7th District) introduced the Facial Recognition and Biometric Technology Moratorium Act, which would prohibit the use or funding of biometric and facial recognition technology by federal entities as well as provide a private right of action.  Earlier in the year, Senator Merkley also co-sponsored the Ethical Use of Facial Recognition Act with Senator Cory Booker (D-New Jersey), which would institute a similar moratorium and impose specific restrictions relating to the use of facial recognition technology in cameras.