Developments in Biometric Information Privacy Laws

17 June 2021 Consumer Class Defense Counsel Blog
Author(s): Christopher Ward Kelsey C. Boehm

In 2008, Illinois became the first state to enact a Biometric Information Privacy Act (BIPA). BIPA regulates “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information” (i.e., fingerprints, iris scans, voiceprints). It prohibits private parties from collecting biometric identifiers and generating individual “profile” information derived from biometric identifiers without first notifying the individuals whose information is being collected, obtaining their consent, and making specific disclosures to them. The statute also requires private parties to publish detailed information regarding their data retention and destruction policies, and prohibits them from selling collected biometric identifiers.

Since Illinois enacted BIPA, four other states have adopted legislation modeled on BIPA—Arkansas, California, Texas, and Washington. See Ark. Code § 4-110-104, Cal. Civ. Code § 1798.100, Tex. Bus. & Com. Code § 503.001, Wash. Rev. Code § 19.375.020. Twenty-seven other states have BIPA-modeled legislation pending as of June 2021:


 2021 AL H.B. 216
 Alaska  2021 AK S.B. 116
 Colorado  2021 CO H.B. 1244; 2021 CO S.B. 190
 Connecticut  2021 CT S.B. 893
 Florida  2021 FL H.B. 969
 Hawaii  2021 HI S.B. 1009
 Indiana  2020 IN H.B. 1371
 Kentucky  2021 KY S.B. 280 § 2(5)
 Maine  2021 ME S.P. 535
 Maryland  2021 MD H.B. 218; 2021 MD S.B. 16
 Massachusetts  2021 MS S.B. 2612
 Minnesota  2021 MN S.F. 1408
 Mississippi  2021 MS S.B. 2612
 Montana  2021 MT H.B. 710
 New Jersey  2020 NJ A.B. 3625
 New Mexico  2019 NM S.B. 1761
 New York  2021 NY A.B. 27
 North Carolina  2021 NC S.B. 569
 Oklahoma  2021 OK H.B. 1602
 Pennsylvania  2021 PA H.B. 5945
 Rhode Island  2019 RI H.B. 5945; 2019 RI S.B. 234
 South Carolina  2021 SC H.B. 3063
 Utah  2021 UT S.B. 200
 Virginia  2020 VA H.B. 2307
 Washington  2021 WA H.B. 14332
 West Virginia  2021 WV H.B. 2064; 2021 WV H.B. 3159
 Wisconsin  2019 WI S.B. 851

Only five states—Georgia, Kansas, Michigan, Missouri, and South Dakota—do not have existing or pending legislation regulating biometric information privacy. The remaining states address biometric privacy through existing personal information or privacy statutes and/or pending legislation that is not modeled after BIPA:


 Del. Code  6, § 12B-100
 District of Columbia  D.C. Code § 28-3851
 Idaho  2021 ID H.B. 147
 Iowa  Iowa Code § 715C.1(11)(a); 2018 IA H.F. 39
 Louisiana  La. Stat. Ann. § 51:3071-51:3077
 Nebraska  Neb. Rev. Stat. § 87-803
 Nevada  Nev. Rev. Stat. § 629.161
 New Hampshire  2021 NH H.B. 597
 North Dakota  ND S.B. 2075, effective 8/1/21
 Ohio  Ohio Rev. Code. § 3965.01
 Oregon  Or. Rev. Stat. § 646A.604
 Tennessee  TN H.B. 766 § 1 (effective July 1, 2021)
 Vermont  Vt. Stat. Ann. 9 § 2430
 Wyoming  Wyo. Stat. Ann. § 6-3-901; Wyo. Stat. Ann. § 40-12-501

Enforcement of Biometric Information Privacy Laws

Of the five states that have enacted biometric privacy legislation, only two allow for a private right of action: Illinois and California. However, recent decisions addressing Illinois’ BIPA provide little clarity and instead are indicative of just how underdeveloped the BIPA legal landscape remains and how many legal questions can be expected to continue surfacing in future litigation (covered separately here). California’s biometric privacy law does not begin to apply to employees’ biometric information until January 1, 2022. Therefore, employers should be cognizant of how they process employees’ personal information and should keep an eye out for further developments and case law interpreting the statute in the years to come.

In addition, of the 27 states with BIPA-modeled legislation pending, only five states—Connecticut, Indiana, Minnesota, Montana and Utah—do not propose a private cause of action, thereby increasing the likelihood of future biometric privacy litigation. Assuming the legislation in those states allowing for a private right of action is enacted, we should expect to see a significant uptick in cases interpreting those statutes. Some of those states’ proposed legislation would allow for the recovery of treble damages (Alaska, North Carolina, Washington) and attorneys’ fees (Alaska, Kentucky, North Carolina, Washington). Indeed, a closer look at Washington’s proposed legislation illustrates the broad reach of pending biometric privacy legislation and potential for significant liability to businesses. Notably, a violation of the statute would “constitute a rebuttable presumption of harm to that individual” and would allow courts to award liquidated “damages of $10,000 per violation or actual damages, whichever is greater,” and punitive damages. 2021 WA H.B. No. 1433. In addition, the Washington statute mandates an award of attorneys’ fees to prevailing plaintiffs. Id. (“courts shall award reasonable attorneys’ fees and costs to any prevailing plaintiff.”) (emphasis added).


Given the ongoing development of biometric privacy legislation and the potential exposure to punitive damages and award of attorneys’ fees, the best practical advice available to any employer or business leveraging technology to identify employees or facilitate customer transactions remains to engage counsel to explore proactive risk management strategies, rather than ending up on the reactive side of allegations of BIPA violations.

1 Action postponed indefinitely; New Mexico has incorporated biometric information into existing personal information protection statute, which is not modeled after BIPA. See NMSA 1978, §§ 57-12C-1 et seq.

2  This legislation expands the remedies available under Washington’s current BIPA-modeled statute.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services