SC Biometric Data Bill Could Shift Nat'l Privacy Landscape
From biometric fingerprint time clocks to facial recognition-powered virtual try-on features, the myriad ways in which biometric data is used for commercial purposes continues to proliferate. As the use of biometric data grows, so, too, do the associated privacy risks — to which lawmakers have responded by enacting regulation over this especially sensitive form of personal information.
To date, all biometric privacy statutes currently on the books follow the same general blueprint in terms of the requirements and restrictions they impose over the collection and use of biometric data. Similarly, the biometric privacy bills proposed this year by New York and Maryland also both follow the same basic formula as well.
Importantly, however, with a third biometric privacy bill introduced by South Carolina in 2021 — the Biometric Data Privacy Act, or BDPA — that could all change in the blink of an eye. Instead of following in the footsteps of prior biometric privacy legislation, the BDPA incorporates only a small portion of the provisions that have become common components of today's biometric privacy statutes, while at the same time also integrating a range of privacy principles only seen, until now, in broader consumer privacy laws.
Consequently, if enacted, the BDPA could cause a sizable shakeup in the legal landscape of biometric privacy by introducing an entirely new set of compliance obligations relating to the use of biometric data that, in turn, would significantly increase the compliance burden placed on companies that utilize biometrics in their operations in the process.
Overview of the South Carolina Biometric Data Privacy Act
The BDPA mirrors some of the provisions contained in other biometric privacy statutes and bills, namely the following:
- Notice must be provided to consumers regarding the use of biometrics at or before the time any biometric data is collected.
- Written consent must be obtained from consumers before the time at which any biometric data is collected.
- Reasonable data security measures must be maintained to safeguard biometric data.
The BDPA also includes a private right of action provision as its main enforcement mechanism, allowing aggrieved individuals to recover $1,000 in statutory damages per negligent violation and $10,000 per intentional or willful violation.
How the BDPA Diverges From Other Biometric Privacy Legislation
With that said, the BDPA diverges in a number of significant respects from other biometric privacy statutes and proposed legislation, namely, by taking a page out of today's consumer privacy laws, such as the California Consumer Privacy Act and the recently enacted Virginia Consumer Data Protection Act.
First, the BDPA provides consumers with a range of rights over the collection and use of their biometric data, including access, opt-out, deletion and anti-discrimination rights.
In addition, the BDPA also imposes several additional compliance obligations relating to the right to opt out, including the addition of a "do not sell my biometric information" link to businesses' webpages, which must provide a description of consumers' rights under the BDPA and enable consumers to opt out of the sale of their biometric data.
Second, the BDPA requires mandatory employee training to ensure that all employees handling consumer inquiries or managing compliance in connection with the company's biometrics program are trained on how to direct consumers to exercise their rights.
Third, the BDPA sets forth data breach notification obligations that require any business that suffers a security incident to notify all consumers within 72 hours of discovering the breach. Significantly, violations of this aspect of the BDPA may subject a business to a fine of $5,000 for each consumer that is not notified in a timely manner.
Finally, the BDPA permits businesses to offer financial incentives — including payments to customers as compensation — for the collection, sale or deletion of biometric data. In order to do so, however, businesses must provide notice of the financial incentive to consumers through a link on the business' website. In addition, a business may not enter into a financial incentive arrangement with a consumer until after the consumer has provided his or her opt-in consent to the arrangement.
Analysis and Takeaways
While the BDPA, if enacted, would only apply to businesses operating in the state of South Carolina, the Palmetto State's proposed legislation is nonetheless poised to have a substantial impact on the national landscape of biometric privacy.
Continuation of Trend of Using Private Right of Action Provisions as Primary Enforcement Mechanism for New Biometric Privacy Laws
The BDPA — like the Maryland and New York biometric privacy bills also introduced in 2021 — includes a private right of action as the proposed legislation's main enforcement mechanism. This is a significant departure from the approach taken by legislators with respect to the majority of biometric privacy bills introduced during previous legislative cycles, which tended to place enforcement powers in the hands of state attorneys general.
At the same time, two other recently enacted biometric privacy laws — Portland, Oregon's, private sector facial recognition ban and New York City's biometric privacy ordinance governing commercial establishments — both include private rights of action. Similarly, a third piece of legislation recently passed by the New York City Council also implicating the use of biometric data — the Tenant Data Privacy Act — likewise uses this more stringent enforcement mechanism.
Taken together, a clear, significant trend is emerging with lawmakers clearly favoring the inclusion of provisions that allow class action litigation to be pursued for noncompliance as an integral component of this new wave of biometric privacy legislative proposals and laws. In turn, a real possibility now exists that the same tsunami of class litigation that has been generated in connection with Illinois's biometric privacy law may soon arrive in other parts of the country.
Potential Influence on Other States and Cities
In addition, if South Carolina is successful in its effort to enact the BDPA, it may influence lawmakers in other parts of the country to try their hand at enacting similar hybrid biometric privacy laws that also incorporate requirements and limitations that, until now, have only been included in broader, more comprehensive consumer privacy statutes. This would significantly increase compliance burden in connection with the use of biometrics.
At the same time, the BDPA may also provide strong encouragement to lawmakers who are contemplating the prospect of enacting robust regulation over the use of biometrics — but who do not have an appetite for passing a more burdensome type of biometric privacy law similar to the BDPA — to push forward with nonetheless strict regulation paralleling that of Illinois' Biometric Information Privacy Act and similar statutes.
What To Do Now
While the BDPA represents the third biometric privacy bill to be introduced by state lawmakers in 2021, it will almost certainly not be the last piece of biometric privacy legislation introduced by state and municipal legislatures this year. And as consumers' biometric privacy rights continue to expand at a hurried pace, it is only a matter of time before biometric privacy laws are the norm, and not the exception, across the nation.
Importantly, South Carolina's biometric privacy bill illustrates legislators' continued interest in enacting new, far-reaching biometric privacy legal frameworks, which will ultimately lead to much more complex, burdensome compliance obligations for companies that collect and use biometric data as more states and cities enact new biometric privacy laws, each with its own unique requirements. As such, while compliance with biometric privacy laws may seem like a fairly simple, straightforward task today, that may soon change in the immediate future.
Consequently, companies that are currently using biometric data, or are contemplating doing so in the future — even if they are not subject to any biometric privacy regulation at this time — should not wait until new laws are passed to commence their efforts to build out their biometric privacy compliance programs.
Rather, companies should take affirmative steps now to begin installing flexible, adaptable compliance programs that will enable them to adeptly respond to the ever-changing legal landscape of biometric privacy. Importantly, an early start toward compliance can make all the difference between being able to fully comply with today's increasingly complex web of biometric privacy laws and being on the receiving end of a potentially devastating biometric privacy class action lawsuit.
“SC Biometric Data Bill Could Shift Nat'l Privacy Landscape,” by David J. Oberly, was published in Law360 on June 22, 2021.
This article was referenced in “South Carolina Biometric Data Privacy Act could increase compliance obligations,” by Chris Burt, published in Biometric Update on June 24, 2021.