Senators Merkley and Sanders Introduce National Biometric Information Privacy Act of 2020

Today, companies are collecting and processing an increasingly vast amount of biometric data, from fingerprint and face recognition to voice and signature identification.  The collection and use of biometrics are increasingly regulated, with some states imposing notice and consent requirements, and others obligating companies to safeguard biometric data of their residents from unauthorized access and disclosure. However, there is currently no federal legislation regulating collection and use of biometric information.

On August 4, 2020, Oregon Senator Jeff Merkley and Vermont Senator Bernie Sanders introduced a federal biometrics bill, National Biometric Information Privacy Act of 2020 (Act).  The bill is modeled largely on the Illinois Biometric Privacy Act (BIPA) but also includes provisions borrowed from the California Consumer Privacy Act (CCPA).

The Act would apply to “private entities,” which include individuals and businesses that collect and process biometric information.  “Biometric identifiers” under the Act include a retina or iris scan, a voiceprint, a faceprint, fingerprints or palm prints, and any other uniquely identifying information based on the characteristics of an individual gait or other immutable characteristic of an individual.

Under the Act, private entities in possession of biometric information would be required to develop a public written policy that establishes a retention schedule and guidelines for permanently destroying biometric information in their possession.  Private entities would be required to destroy biometric data once the initial purpose for collecting or obtaining data has been satisfied, and in any case within 1 year of the individual’s last intentional interaction with the entity.

In order to collect, capture, purchase, receive through trade, or otherwise obtain biometric data, private entities would need to (1) obtain biometric data to provide a service for an individual or another identified valid business purpose; (2) disclose to the person that biometric data is being collected or stored and the specific purpose and length of term for which data is being collected, stored, and used; and (3) obtain a written release of the biometric data subject.  Notably, a written release may not be combined with any employment contract.  Thus, presumably, employers would not be able to condition employment on the employees’ consent to collection of their biometric information.

The Act would prohibit selling biometric data for profit and would allow its disclosure only when (1) data subject provides a written release for such disclosure; (2) necessary to complete a financial transaction requested or authorized by the data subject; or (3) disclosure is required by law or by a valid warrant or subpoena.  Private entities would be required to use reasonable standard of care in storing, transmitting, and protecting biometric information from disclosure.  Businesses that collect, use, share, or sell biometric data would be required, upon request of an individual, to disclose such information free of charge.

The Act not only provides for a private right of action but explicitly states that a violation of its provisions on collection, retention, disclosure, and destruction of biometric information constitutes “an injury-in-fact and a harm to any affected individual.”  Effectively, this provision codifies the emerging federal case law on standing in the BIPA cases, where courts have held that plaintiffs may sue for purely technical BIPA violations, such as failure to provide written disclosures or obtain written releases.  In case of a negligent violation of the Act, plaintiffs would be able to recover the greater of $1,000 per violation or actual damages.  In case of an intentional or reckless violation, plaintiffs would be able to recover actual damages and punitive damages of up to $5,000 per violation.

The National Biometric Information Privacy Act joins a growing list of proposed federal legislation seeking to regulate collection and use of personal information.  So far, federal privacy legislation has not moved beyond mere proposals as there are strong disagreements among lawmakers on several key issues, including a private right of action and preemption, and there have been few proposals trying to find a compromise on these issues.  We will keep following the developments on the National Biometric Information Privacy Act and other pending federal proposals in our blog.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653