Avoiding Biometric Privacy Class Actions After Md., NY Bills
Over the past two years, the Illinois Biometric Information Privacy Act has developed into the hottest new class action trend, spurring an onslaught of bet-the-company class actions fueled by the law's low bar for establishing liability and high statutory damages awards.
On the heels of New York's proposed Biometric Privacy Act, Maryland recently became the second state in 2021 to introduce targeted biometric privacy legislation modeled after Illinois' stringent biometric privacy law.
If enacted, Maryland's Biometric Identifiers and Biometric Information Privacy Act — H.B. 218 and S.B. 16 — would impose significant compliance burdens on companies that handle biometric data in the state.
More importantly, the Maryland bill's private right of action provision would likely bring with it an avalanche of class actions similar to what companies are now facing in connection with Illinois' BIPA.
From a broader perspective, the Maryland bill would, if successful, likely generate further momentum for other states and cities to enact similar laws of their own.
Overview of the Maryland Biometric Identifiers and Biometric Information Privacy Act
The Maryland bill mirrors many of the provisions contained in Illinois' biometric privacy law, and would mandate that companies adhere to the following requirements and limitations:
- The maintenance of privacy policies and guidelines/schedules for the retention and destruction of biometric data;
- A ban on selling or profiting from biometric data;
- A prohibition on disclosing or sharing an individual's biometric data in the absence of consent; and
- The implementation of reasonable data security measures.
The bill also provides for remedies that are a carbon copy of its Illinois counterpart in the form of a private right of action allowing aggrieved individuals to recover between $1,000 and $5,000 for each violation of the law, as well as attorney fees.
Differences Between the Maryland Bill and Illinois' BIPA
While the Maryland bill is closely aligned with Illinois' BIPA, there are several differences between the two laws.
First, the Maryland legislation defines the scope of covered biometric data in a much broader fashion than BIPA.
Second, the Maryland bill provides an exception from the publicly available privacy policy requirement where the policy (1) applies only to the employees of a covered business and (2) is used solely for internal company operations.
Third — and most importantly — unlike the Illinois BIPA, the Maryland bill does not require businesses to provide notice and obtain written consent prior to collecting an individual's biometric data. This is a significant departure from Illinois' biometric privacy statute, as violations of these notice and consent requirements have been focal points in the vast majority of Illinois BIPA class lawsuits to date.
What This Means for Companies That Use Biometric Data
Of note, both the Maryland bill and the proposed New York Biometric Privacy Act include private right of action provisions as their main enforcement mechanism.
This stands in stark contrast to the majority of biometric privacy bills introduced during previous legislative cycles, which tended to place enforcement powers in the hands of state attorneys general.
At the same time, two other recently enacted biometric privacy laws — Portland, Oregon's, private sector facial recognition ban and New York City's biometric privacy ordinance governing commercial establishments — both include private rights of action as well.
Taken together, a significant trend is emerging with lawmakers clearly favoring the inclusion of provisions that allow class actions to be pursued for noncompliance as an integral component of this new wave of biometric privacy legislative proposals.
In turn, a real possibility now exists that the same tsunami of class litigation that has been generated in connection with Illinois' biometric privacy law may soon arrive in other parts of the country.
Moreover, should Maryland and New York prevail in enacting new biometric privacy legislation, it may trigger a domino effect whereby other states and municipalities quickly follow suit.
Practical Guidance: Proactive Compliance Measures
While the Maryland bill marks the second legislation of its kind to be introduced by state lawmakers in 2021, it will almost certainly not be the last piece of biometric privacy legislation modeled after Illinois' BIPA to be introduced this year.
As such, companies are well advised to take proactive steps to implement flexible, adaptable biometric privacy programs that will enable them to adeptly respond to the ever-changing legal landscape of biometric privacy.
Specifically, companies that use biometric data in their operations — even if they conduct business exclusively in locales that do not yet have any type of biometric privacy law on the books — should consider implementing the following compliance practices:
- Privacy policy: Develop a publicly available, detailed biometrics-specific privacy policy that provides clear notice that biometric data is being collected, as well as information regarding the purposes for which the data is used and the company's schedule and guidelines for the retention and destruction of this data.
- Written notice: Provide written notice — prior to the time any biometric data is collected — which clearly informs individuals that biometric data is being used by the company; how that data will be used and/or shared; and the length of time over which the data will be retained until it is destroyed.
- Written release: Obtain a signed written release from all individuals prior to the time any biometric data is collected that permits the company to collect/use the individual's biometric data and disclose the data to third parties for business purposes.
- Data security: Maintain data security measures to safeguard biometric data that satisfies the reasonable standard of care applicable to the company's given industry and that protects biometric data in a manner that is the same or more protective than the manner in which the company protects other forms of sensitive personal information.
- Explicit prohibition on selling or otherwise profiting from biometric data: Enforce a strict ban that prohibits the company, its employees, and any vendors from selling or otherwise profiting from individuals' biometric data.
Conclusion
Maryland's bill is in the nascent stages of the legislative process; however, if enacted, the law will go into effect on Jan. 1, 2022.
The trend toward favoring private right of action provisions over administrative enforcement by both state and municipal legislatures is gaining momentum and should be cause for concern for those entities that use biometrics where no targeted biometric privacy law currently exists.
More than that, it is only a matter of time before biometric privacy laws are the norm, and not the exception, across the U.S.
Companies can get ahead of the compliance curve by taking proactive measures to develop and implement biometric privacy compliance programs that encompass the principles and practices described above.
In doing so, businesses can ensure continued, ongoing compliance not just with current biometrics regulation, but with future laws as well — allowing them to always stay a step ahead of today's constantly evolving biometric privacy regulation.
“Avoiding Biometric Privacy Class Actions After Md., NY Bills,” by David J. Oberly was published in Law360 on May 10, 2021.