A growing number of states are actively legislating to protect consumers’ personal information, including biometric data. Currently, Illinois, Washington, and Texas have specific laws exclusively focusing on the regulation of biometric data. In contrast, states like Colorado, Connecticut, and Virginia have implemented comprehensive privacy laws that also cover biometric data within broader regulations. Additionally, fourteen other states have recently passed legislation concerning biometric data, which will become effective between July 1, 2024, and January 1, 2026. These laws represent a mix of approaches to the issue, ranging from focused to comprehensive data privacy frameworks.
Enacted in 2008, Illinois’ Biometric Information Privacy Act (BIPA) is the leading framework for biometric data privacy and remains the most protective law in place. In addition to stringent notification and consent requirements, the law prohibits companies from selling or profiting from consumers’ biometric data and allows consumers to take legal action. In May, the Illinois General Assembly voted to amend BIPA with the purpose of curbing cumulative damages and burdensome litigation against small businesses. The proposed measure limits recovery to a single violation in cases where biometric data is either obtained or disclosed without a person’s consent in multiple instances using the same method. The measure also clarifies that an electronic signature satisfies the written consent requirement. These changes will take effect immediately upon signature by the Governor J.B. Pritzker.
Data privacy experts at Quandary Peak Research have observed several distinct features that differentiate Illinois’ BIPA from other state biometric privacy laws, in addition to noting key similarities. With comparable definitions of biometric data and consent requirements, both BIPA and newer state laws ensure strong enforcement mechanisms. The key difference is in the enforcement: BIPA allows individuals to pursue legal action, whereas these newer laws leave enforcement to the Attorney General. Regardless, businesses collecting biometric information now face a heightened risk of non-compliance and potential monetary penalties. To minimize this risk, businesses and legal advisors should become familiar with the following developments in this evolving field:
- Delaware Personal Data Privacy Act
- Florida Digital Bill of Rights
- Indiana Consumer Data Protection Act
- Iowa Consumer Data Protection Act
- Kentucky Consumer Data Protection Act
- Maryland Online Data Privacy Act
- Minnesota Consumer Data Privacy Act
- Montana Consumer Data Privacy Act
- Nebraska Data Privacy Act
- New Hampshire Data Privacy Act
- New Jersey Data Privacy Act
- Oregon Consumer Privacy Act
- Tennessee Information Protection Act
- Texas Data Privacy and Security Act
Sensitive and Biometric Data Defined
Overall, these laws categorize biometric data as “sensitive data,” which also encompasses the data of children, geolocation data, and other data revealing protected characteristics.
Under BIPA, biometric data is divided into two regulated categories:
- Biometric identifiers are specific types like fingerprints, voiceprints, and retinal or iris scans, explicitly excluding photographs and audio or video recordings.
- Biometric information refers to any data, regardless of the method of capture, used to identify an individual.
Contrasting with BIPA, newer laws generally consolidate these into a single category of “biometric data,” defined as data from automatic measurements of unique biological characteristics. Similar to BIPA, this definition typically excludes photographs, audio, and video recordings, and data derived from them. However, variations in exclusions can occur across different states.
Companies employing facial recognition software and virtual try-on (VTO) applications in these states should take precautions. Last year, Quandary Peak experts explored the potential of BIPA enforcement against facial recognition technology. As predicted, the distinction between what exactly constitutes biometric data and what is a mere photograph continues to raise questions.
Requirements for Sensitive Data
Beyond the general protections afforded to personal data, such as the rights to know, opt out, correct, and delete data, there are stringent and nuanced requirements specifically governing the handling of sensitive or biometric data. These regulations vary significantly by jurisdiction and typically involve mandatory consumer consent prior to data processing, clear notices about data usage, and, in some cases, outright prohibitions against certain data practices even with consent.
For example, Delaware, along with Indiana, Minnesota, Montana, Nebraska, Oregon, and Tennessee prohibit controllers from processing sensitive data without obtaining the consumer’s consent. Delaware further requires that controllers provide an effective mechanism for a consumer to revoke their consent. In Florida, controllers may not engage in the sale of personal data that is sensitive data without receiving prior consent and must provide specific notice, “NOTICE: This website may sell your sensitive personal data.” In Iowa, a controller must present the consumer with clear notice and an opportunity to opt out of processing sensitive data. Kentucky requires controllers to give consumers the opportunity to opt-out. In Texas, there is an added requirement for controllers that sell sensitive or biometric data to disclose such in its privacy policy.
Maryland is perhaps the most restrictive, limiting the processing of sensitive consumer data, regardless of consent, except for what is strictly necessary to provide or maintain a specific product or service. Maryland further prohibits the sale of consumer data, regardless of consent, among a list of other restrictions.
Criteria for Compliance: Who Needs to Follow State Privacy Laws?
Generally, these state privacy laws apply to commercial businesses that control or process the personal data of a certain number of consumers who are residents of the state, or derive a certain percentage of gross revenue from the sale of residents’ personal data. Florida, however, has added a provision that narrows the applicability of its law. This provision targets businesses with an excess of $1 billion in global gross annual revenue and at least one of the following criteria: obtaining 50% of global gross revenue from online advertising sales, operating a consumer smart speaker and voice command service, or operating an app store or digital distribution platform with at least 250,000 different software applications. This allows small businesses in Florida to continue digital advertising while excluding similar and other data-driven activity by tech giants Amazon, Meta, Google, and Apple, to name a few.
Regulatory Enforcement and Penalties Across States
Unlike BIPA, which provides a private right of action for violations, these new privacy laws with biometric data protections mostly grant exclusive enforcement authority to the state’s Department of Justice or Attorney General. Most of these laws, however, allow for a cure-period, which varies by state—30 days in Indiana; 45 days in Florida; 60 days in Montana and Tennessee; and 90 days in Iowa. After this cure-period, the DOJ or Attorney General may pursue various enforcement actions for each violation, including civil penalties of up to $7,500 in Indiana, Iowa, Kentucky, and Oregon; up to $15,000 in Tennessee; and up to $50,000 in Florida.
Get Expert Help with Consumer Privacy Laws and Biometric Data Cases
Expert witnesses at Quandary Peak Research have deep experience with privacy laws and facial recognition class action cases. Contact us today to recruit a software expert who is experienced with data privacy and the technologies involved.
