Florida Legislature Considers Biometric Information Privacy Act
The Florida Biometric Information Privacy Act was introduced into the state legislature by Senator Gary Farmer and Representative Bobby DuBose recently. It is listed as Senate Bill 1270 and House Bill 1153. For the most part, it is a copy of the Illinois BIPA.
The bill prohibit the collection, capture, purchase and receipt of customer biometric identifiers or biometric information unless there is notice in writing concerning its collection/storage, the retention period, and a “written release executed by the subject … or legally authorized representative.” It would also require a private entity to develop a publicly available written policy with retention schedule.
It furthermore prohibits selling, leasing, trading or otherwise profiting from the biometric identifier or information. It prohibits disclosure or other dissemination without consent, unless it completes a financial transaction, it is required by law or ordinance, or is required by a valid warrant or subpoena.
For private entities in possession of such information, it imposes a reasonable standard of care within the industry on the entity. The minimum standard is the “same as or more protective than” it holds other confidential and sensitive information.
Biometric identifier is defined as “a retina or iris scan, fingerprint, voice print, or scan of hand or face geometry. There is a long list of exclusions including writing samples, signatures, photographs, tattoo descriptions, physical descriptions, and others.
Biometric information is defined as any information based on an individual’s biometric identifier used to identify an individual. The manner in which it is captured, converted, stored or shared is irrelevant to whether it is biometric information. Information derived from exclusions to biometric identifiers are not considered biometric information.
The “written release” must provide for informed written consent or for employees a release executed as a condition of employment.
The bill applies broadly to a private entity, which is defined as any individual, partnership, corporation, LLC, association or other group.
The law would permit the filing of a cause of action with recovery of $1,000 for negligent violations and $5,000 for intentional or reckless violations by private entities. It also allows the recovery of reasonable attorney fees and other relief the court deems appropriate. If passed, the law would take effect on October 1, 2019.
There are a few minor differences between the text of the Illinois Biometric Information Privacy Act and the proposed Florida bill. The Illinois Supreme Court recently concluded that no actual injury (harm) was required to permit an individual to have standing to sue under the law.
The Florida bill is one of a number on biometric privacy being considered in states across the United States, including NY SB 1203, which was introduced again in January, and Massachusetts’ version of the CCPA which covers biometric information with a broad private right of action.
Other Relevant Posts:
Maine Considering LD 946 to Protect Privacy of ISP Customers
Illinois House Passes Data Transparency and Privacy Act; Senate Passes KIDS Act
Texas Considers Consumer Privacy Act and Privacy Protection Act
Update: Special Session of Appropriations Committee Saves Washington Privacy Act for Another Week
No Washington Privacy Act This Year?
Washington Privacy Act – Initial Look at the Current House Version
Summary of Connecticut SB 1108 on Data Privacy
Summary of Public Hearings on Maryland Online Consumer Protection Act
Summary of Washington Privacy Act After State Senate Passes
Maryland Considering SB613 / HB0901 – Online Consumer Protection Act
With SD341, Massachusetts Joins States Considering CCPA-like Data Privacy Laws
Public Hearing on Washington Privacy Act (SSB 5376) in Senate Ways & Means – More Work to Be Done?
State CCPA Privacy Bills in Rhode Island, Hawaii and New Jersey
North Dakota Considers Study on Privacy Practices of Data Brokers