CPW’s David Oberly recently wrote a guest analysis at Law360 concerning Maryland HB 259, the Biometric Identifiers Privacy Act. As he addresses at Law360, this bill comes in the wake of failed efforts in the state to enact biometric privacy legislation. HB 259 would require:
- Publicly available privacy policies containing written retention schedules and guidelines for the permanent destruction of biometric data;
- Written consent obtained before the time any biometric data is collected;
- Reasonable security measures to safeguard biometric data; and
- A prohibition on selling, leasing or otherwise profiting from individuals’ biometric data.
As used in the bill, “biometric identifier” means “the data of an individual generated by automated measurements of an individual’s unique biological characteristics.” This would include, but not be limited to: faceprints, but excludes photographs or video, or a physical description (e.g., height, weight, hair color, eye color, tattoo description, etc.).
David commented to CPW that “Maryland’s HB 259 was recently followed up by Maine’s legislature, which also introduced its own “hybrid” biometric privacy bill (LD 1459) integrating a mix of concepts traditionally associated with both biometric privacy and consumer privacy statutes. Thus, a trend is emerging with biometric privacy bills that mirror BIPA in many ways, but which also differ from current biometric privacy statutes in many respects as well. If enacted, these hybrid statutes will make the task of compliance for companies that utilize biometric in their operations much more difficult and complex.”
Additionally, HB 259 also contains a private right of action with liquidated statutory damages. It provides that a private entity that collects biometric identifiers may not collect, use, disclose, redisclose, or otherwise disseminate an individual’s biometric identifiers, unless, among others, it has the individual’s (or the individual’s representative’s) written consent. The bill would allow for the recovery of $1,000 or actual damages per violation, whichever is greater, for negligence; or $5,000 or actual damages, whichever is greater, for intentional or reckless violations. A private plaintiff would also be able to recover reasonable attorney’s fees and costs (including expert witness fees and litigation expenses), and obtain other relief, including an injunction.
CPW’s Kristin Bryan, a data privacy and cybersecurity litigator who also advises AI companies on proposed biometrics laws commented that “HB 259 is one of several biometric privacy laws under consideration this year that would incorporate a private right of action along with significant statutory liquidated damages. If other states proceed as Illinois did in 2008 in enacting a biometric privacy law it would be anticipated to trigger a sea change in the data privacy landscape.”
For more on this, stay tuned. CPW will be there to keep you in the loop.