Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.
The Maryland bill is closely modeled after BIPA and includes provisions limiting the collection, use, retention, and sharing of covered biometric data of Maryland residents. The bill would also prohibit private entities from profiting from covered data and would grant residents a private right of action to seek the greater of actual damages or statutory damages of $1,000, and reasonable attorney’s fees for violations of the act. Unlike BIPA, the Maryland bill also appears to borrow from the California Consumer Privacy Act (“CCPA”) by including CCPA-style access and anti-discrimination rights, as well as giving consumers the right to request deletion of their data. In particular, the bill would require that covered entities:
- disclose in response to consumers’ requests the biometric information collected about them, the purposes for which it was used, and the categories of third party recipients of that data, among other things;
- delete biometric data within 30 days of receiving a verified deletion request from a consumer; and
- refrain from discriminating against a consumer by conditioning a service or lower price on the provision of biometric data.
The California bill is also similar to BIPA and the Maryland bill in terms of collection, retention, and disclosure restrictions. The proposed California bill notably differs from other state biometric privacy legislation by including an expansive definition of “biometric information” that includes things like behavioral and physiological characteristics, among other data not covered in Illinois, Texas’ Capture or Use of Biometric Identifier Act (CUBI), or under the Maryland proposal discussed above. The California bill would also supplement the California Privacy Rights Act (“CPRA”), which includes biometric information in the definition of “sensitive personal information,” by expanding limitations on use and disclosure of biometric information.
Other key provisions of the California bill include:
- Retention: Covered entities must make publicly available a retention schedule and guidelines for destroying biometric information within the following timeframes:
- The date on which the initial purpose for collection is satisfied if consent was freely given or could have been declined without consequence; or
- One year after the individual’s last intentional interaction with the entity.
- Private Right of Action: Entities found liable for violations of the act are subject to the greater of statutory damages ranging from $100 to $1000 or actual damages, punitive damages, and attorney’s fees and litigation costs.
Both the California and Maryland bills were introduced in the same week, and if enacted they would be the first state biometric privacy bills passed in over a decade. This renewed legislative attention, along with continued litigation under BIPA and the Texas Attorney General’s recent lawsuit under CUBI, suggest that biometrics are likely to remain a focal point of regulatory and legislative interest over the next few years. And given Illinois’ experience with BIPA over the last several years, both bills’ private-right-of-action provisions suggest that, if these bills are enacted, the potential litigation risks for businesses that rely on or provide services based on the use of biometric data are likely to significantly increase.