Amidst growing concerns over the use of facial recognition technology and systems collecting biometric data, Senators Bernie Sanders (D-VT) and Jeff Merkley (D-OR) announced the introduction of a bill that would prevent private companies’ from collecting and disclosing biometric identifiers and information without consumers and employees’ consent. Introduced in August 2020, the ‘National Biometric Information Privacy Act of 2020’ (NBIPA) would apply to biometric data such as eye scans, fingerprints, voiceprints, and faceprints (including those derived from photos). It would also prohibit the purchase, sale, lease, trade, and retention of biometric data without written consent.
The NBIPA comes on the footsteps of other federal proposals supported by Senator Merkley earlier this year, such as the Facial Recognition and Biometric Technology Moratorium Act (restricting the use of biometric data by law enforcement agencies) and the Ethical Use of Facial Recognition Act (prohibiting the federal government’s use of facial recognition technology until Congress passed legislation outlining permissible uses for the data).
“We can’t let companies scoop up or profit from people’s faces and fingerprints
without their consent,” said Senator Merkley. “We have to fight against a ‘big brother’
surveillance state that eradicates our privacy and our controller of our own information,
be it a threat from the government or from private companies.”
The NBIPA draws inspiration from state legislation passed in Illinois over a decade ago in 2008. Illinois’ Biometric Information Privacy Act (BIPA) was the first law of its kind – most notably providing for a private right of action for misuse of biometric information. Texas followed suit in 2009, along with more recent state legislation in Washington, Arkansas, New York, and California. The national legislation would mirror these recent state developments which have broadened the definition(s) of personal information to include biometric data.
The NBIPA would apply to private entities – defining those companies as businesses of any size in possession of biometric identifiers or biometric information of any individual (excluding federal, state, and local governments as well as academic institutions). Most significantly, the NBIPA would set forth:
- A requirement that companies obtain consent from individuals prior to collecting and disclosing their biometric information.
- A private right of action against entities, including ability to recover damages for violations of the law’s provisions.
- A duty to safeguard biometric identifiers or biometric information in a fashion similar to safeguards used for other confidential and sensitive information (e.g. Social Security Numbers, SSNs)
To help further protect against the misuse of biometric data, the NBIPA also requires that private entities:
- Develop and maintain a publicly available written policy that establishes a retention schedule and guidelines used for permanently destroying biometric identifiers and information not more than one year beyond the individual’s last interactions with the company (if not sooner).
- Collect biometric identifiers and biometric information only when needed to provide a service to those individuals or to support a valid business purpose.
- Inform individuals their biometric identifiers and biometric information is being collected or stored, identify the purpose and time period for collection, storage, or use, and obtain written consent from each individual (independent of the consent received thru any other agreements).
- Obtain a written release immediately prior to the disclosure of any biometric identifiers or biometric information that identifies the data being disclosed, the reason for disclosure, and the recipients of that information.
- Maintain biometric information using the reasonable standard of care within the private entity’s industry.
Reaction to the proposed law has cited similarities to Illinois’ BIPA and the California Consumer Privacy Act (CCPA). The NBIPA would grant private right of action (similar to Illinois) – empowering individuals to hold private entities accountable, but also bringing with it the risk of litigation that may further hinder companies already dealing with the economic stresses of COVID-19. Second, the NBIPA would give U.S. citizens a ‘right to know’ – wherein an individual can request what biometric identifiers of biometric information have been collected during the preceding 12-month period. However, unlike the CCPA (or the EU’s General Data Protection Regulation – ‘GDPR’), the proposal discusses but does not specifically define personal information – only providing a definition of biometric identifiers and confidential and sensitive information.
From a records management perspective, the implications of the NBIPA would be huge. Not only would the law require that companies make publicly available a written policy that establishes a formal retention schedule – but it would further set forth specific guidelines for destruction of biometric identifiers and biometric information. This will create an additional burden on companies to prove destruction aligns with either the date the purpose of collection was satisfied or, in the alternative, has been completed within one (1) year of that individual’s last interaction with the privacy entity.
Additionally, legislators have pointed to the inconsistencies with a state-by-state framework in support of a need for federal legislation – citing, in particular, the growing reach of Illinois’ BIPA. In 2019, the state supreme court held in Rosenbach v. Six Flags that a private right of action can be brought regardless of suffering actual or concrete harm – an individual need only allege a violation of Illinois BIPA to have standing to file suit. Later in 2020, Facebook raised its initial $550 million settlement accord to $650 million to resolve a lawsuit brought in a U.S. District Court in California alleging the company had collected and stored of biometric data on its users in violation of Illinois’ BIPA. Meanwhile, Clearview AI was driven out of Illinois after facing a lawsuit filed by the ACLU (and supported by numerous tech companies) claimed that its practice of scraping social media sites and other public repositories using facial recognition violated the state’s BIPA statute.
By contrast, other federal and state proposals attempting to protect personal information have died in the legislative process. The Data Care Act of 2018 had attempted to establish basic standards of care for personal data processed by online service providers, but never received a vote in the US Congress. State-level proposals, such as Arizona HB2478 and Florida’s Biometric Information Privacy Act, that sought to further safeguard biometric data have met a similar fate. The failure of Florida’s proposals were particularly significant as they had attempted to grant a private cause of action identical to Illinois’ BIPA. As a result, enforcement powers for non-compliance are largely left to the state attorney general –with the CCPA giving consumers in California only a limited private right of action in the event a data breach results in loss or theft of their personal data.
To what extent the initially proposed NBIPA moves forward will be interesting – whether enacted into law in some sort of amended form, or fade out in the legislative process like so many other state and federal proposals. In the interim, companies would be best served to look to their own internal policies and procedures – understanding how they are managing biometric identifiers and information as well as the retention schedule frameworks and records destruction processes that govern the use of that data.