Publications
Article

Biometric Privacy Regulation May Soon Be Coming to Pennsylvania

The Legal Intelligencer

Currently, only a handful of domestic laws directly regulate the collection and use of biometric data—such as fingerprints, voice prints, retina scans and facial scans. But that may soon change. Several state legislatures have bills pending which, if passed, would place robust requirements and limitations over private entities’ biometric practices. And many of these bills would go into effect immediately, giving covered entities little time to come in compliance before being subject to potentially significant liability.

One of those states awaiting biometric privacy legislation is Pennsylvania, which has introduced the proposed Consumer Data Privacy Act (CDPA) (H.B. 1049)—a broad consumer privacy law that encompasses the use of biometric data, much like the California Consumer Privacy Act of 2018 (CCPA). If enacted, the CDPA would directly implicate a wide swath of businesses that collect and use Pennsylvania residents’ biometric data; it would also create significant class action liability as soon as the bill is enacted.

As such, all Pennsylvania companies utilizing biometric data are well advised to take immediate, proactive measures to implement practices/protocols to ensure compliance with the CDPA prior to enactment.

CDPA Overview

The CDPA would apply to any entity that collects consumers’ personal information (including biometric information), does business in the Commonwealth, and satisfies any one of three thresholds: has gross annual revenue in excess of $10 million; buys, sells, receives, or shares the personal information of 50,000 or more consumers, households, or devices; or derives 50% or more of its revenue from the sale of consumers’ personal information. The term “biometric information” is not defined in the CDPA.

The CDPA lays out a “general rule” that consumers shall have the right to: know what data is being collected about them; know whether their data is being sold or disclosed, and to whom; decline or opt-out of the sale of their data; access to their data that has been collected; and equal service and price when they exercise their rights under the law.

More specifically, all companies falling under the law would be required to satisfy a broad range of specific compliance requirements set forth under the CDPA—much like those set forth in the CCPA—including:

  • Expansive disclosure requirements, including maintaining a detailed privacy policy describing the entity’s biometrics practices and targeted notices informing consumers of their right to opt-out of the sale of their biometric data;
  • Compliance with the myriad of rights afforded consumers to lodge requests regarding the biometric data that is collected, used, disclosed, and sold by covered entities, including the right to know, right to access, right to opt-out, right to deletion, and right to equal service and pricing;
  • Data security mandates, which require covered entities to satisfy their duty to implement and maintain “reasonable security practices and procedures” to protect biometric data from being improperly accessed, acquired, or disclosed; and
  • Employee training requirements.

Enforcement

Like the CCPA, the CDPA would provide consumers with a private right of action—albeit a more limited one as compared to other states with biometric laws already on the books. Specifically, consumers can pursue individual or class litigation if their personal data is impacted by a data breach and the entity is found to have violated its duty to maintain reasonable security measures. Consumers would be able to recover between $100 and $750 in statutory damages per incident.

For violations outside of a data breach event, enforcement authority is vested in the Pennsylvania Attorney General. Here, businesses could be held liable for civil penalties of up to $7,500 for “each violation” of the law.

  • Even With a Narrow Private Right of Action, Significant Class Action Litigation Exposure Remains.

Given the CDPA’s narrow private right of action, many businesses may assume the law poses a low risk of class action litigation for noncompliance.  As demonstrated by the flurry of class actions filed for purported violations of the CCPA since the law went into effect at the start of 2020, however, this could be a very costly miscalculation.

While the CCPA has a limited private right of action involving data breach incidents—identical to that of the CDPA—plaintiff’s attorneys have wasted no time filing a wave of class actions for purported CCPA violations that have no relation to a breach incident. In fact, many such suits have not asserted causes of action directly under the CCPA at all; instead, they used the CCPA as a predicate for claims under California’s plaintiff-friendly Unfair Competition Law (UCL).

The California UCL, in turn, bars companies from engaging in business practices that are “unlawful, unfair, or fraudulent.” Critically, the California UCL allows plaintiffs to “borrow” purported violations from other statutes—such as the CCPA—for use in asserting such “unlawful” practices.

A similar concern exists regarding Pennsylvania’s proposed CDPA, especially since the Keystone State’s Unfair Trade Practices and Consumer Protection Law (UTPCPL) is very closely aligned with California’s UCL. Indeed, Pennsylvania’s consumer protection law creates a private right of action for individuals subjected to unfair/deceptive acts or practices and contains a catch-all provision that includes all fraudulent conduct which creates a likelihood of confusion or misunderstanding.

To establish a violation of this catch-all provision, a consumer need only show the business’s conduct “has the tendency or capacity to deceive”—a very low bar that could likely be satisfied by pointing to violations of the CDPA. Thus, it is reasonable to posit consumers will “borrow” purported violations of the CDPA for use in asserting claims under the UTPCPL’s catch-all provision.

While attempts to expand the scope of liability under the CDPA may ultimately fail, those businesses targeted with class action lawsuits will incur significant litigation costs in defending such suits, further raising the importance of strict, advance compliance with the CDPA’s mandates.

What to Do Now: Compliance Tips

To ensure compliance with the CDPA in the event it is passed (and thereafter goes immediately into effect), Pennsylvania businesses utilizing biometric data should consider taking the following action steps:

  • Data Mapping: Conduct a data mapping and inventory exercise, which entails mapping and inventorying every piece of biometric data collected, used, and sold by the company, as well as all its data processing practices. Doing so will allow companies to proactively manage and safeguard biometric data, build out the privacy disclosures that are required by the CDPA, and satisfy consumer rights requests.
  • Privacy Policy: Update privacy policies to include information required to be affirmatively disclosed to consumers under the CDPA pertaining to the business’s biometric data practices and consumer rights.
  • Opt-Out: Permit individuals to opt out of the collection of their biometric data.
  • Systems to Comply With Consumer Rights Requests: Implement systems and procedures to ensure adherence with the myriad of broad consumer rights afforded to consumers under the CDPA.
  • Data Security: Maintain “reasonable security practices and procedures” to protect biometric data from being improperly accessed, acquired, or disclosed.
  • Employee Training: Provide training to all employees who will be engaged in the entity’s CDPA compliance efforts on the business’s biometrics practices, its requirements under the CDPA, and how to properly respond to and satisfy consumer rights requests.
  • Consult With Experienced Biometric Privacy Counsel: Consult with experienced biometric privacy counsel before implementing any type of biometric technology to ensure compliance with the CDPA and, from a broader perspective, with today’s constantly-evolving biometric privacy legal landscape.

Conclusion

2020 has seen an explosion of bet-the-company class action litigation under other states’ targeted biometric privacy laws, including several high-profile suits against some of today’s largest tech titans. And despite offering a narrowed private right of action, a steady stream of class action litigation for alleged CCPA violations has also occurred since the enactment of California’s privacy statute.

Due to the similar nature of Pennsylvania’s CDPA and California’s CCPA, Pennsylvania companies should similarly expect class action litigation like what has been seen on the West Coast.  To stem the possibility of such massive exposure, Pennsylvania companies falling within the CDPA should take immediate action to implement best practices to ensure compliance with the proposed Pennsylvania law.  Because the CDPA would go into effect immediately, there is little time to wait to stay ahead of this potentially tectonic shift in the law.

“Biometric Privacy Regulation May Soon Be Coming to Pennsylvania,” by Jeffrey N. Rosenthal and David J. Oberly was published in The Legal Intelligencer on October 9, 2020.

Reprinted with permission from the October 9, 2020, edition of The Legal Intelligencer © 2020 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, reprints@alm.com or visit www.almreprints.com.