In 2008, Illinois became the first state to enact a Biometric Information Privacy Act (BIPA). BIPA regulates “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information” (i.e., fingerprints, iris scans, voiceprints). It prohibits private parties from collecting biometric identifiers and generating individual “profile” information derived from biometric identifiers without first notifying the individuals whose information is being collected, obtaining their consent, and making specific disclosures to them. The statute also requires private parties to publish detailed information regarding their data retention and destruction policies, and prohibits them from selling collected biometric identifiers.
Since Illinois enacted BIPA, four other states have adopted legislation modeled on BIPA—Arkansas, California, Texas, and Washington. See Ark. Code § 4-110-104, Cal. Civ. Code § 1798.100, Tex. Bus. & Com. Code § 503.001, Wash. Rev. Code § 19.375.020. Twenty-seven other states have BIPA-modeled legislation pending as of June 2021:
|2021 AL H.B. 216|
|Alaska||2021 AK S.B. 116|
|Colorado||2021 CO H.B. 1244; 2021 CO S.B. 190|
|Connecticut||2021 CT S.B. 893|
|Florida||2021 FL H.B. 969|
|Hawaii||2021 HI S.B. 1009|
|Indiana||2020 IN H.B. 1371|
|Kentucky||2021 KY S.B. 280 § 2(5)|
|Maine||2021 ME S.P. 535|
|Maryland||2021 MD H.B. 218; 2021 MD S.B. 16|
|Massachusetts||2021 MS S.B. 2612|
|Minnesota||2021 MN S.F. 1408|
|Mississippi||2021 MS S.B. 2612|
|Montana||2021 MT H.B. 710|
|New Jersey||2020 NJ A.B. 3625|
|New Mexico||2019 NM S.B. 1761|
|New York||2021 NY A.B. 27|
|North Carolina||2021 NC S.B. 569|
|Oklahoma||2021 OK H.B. 1602|
|Pennsylvania||2021 PA H.B. 5945|
|Rhode Island||2019 RI H.B. 5945; 2019 RI S.B. 234|
|South Carolina||2021 SC H.B. 3063|
|Utah||2021 UT S.B. 200|
|Virginia||2020 VA H.B. 2307|
|Washington||2021 WA H.B. 14332|
|West Virginia||2021 WV H.B. 2064; 2021 WV H.B. 3159|
|Wisconsin||2019 WI S.B. 851|
Only five states—Georgia, Kansas, Michigan, Missouri, and South Dakota—do not have existing or pending legislation regulating biometric information privacy. The remaining states address biometric privacy through existing personal information or privacy statutes and/or pending legislation that is not modeled after BIPA:
|Del. Code 6, § 12B-100|
|District of Columbia||D.C. Code § 28-3851|
|Idaho||2021 ID H.B. 147|
|Iowa||Iowa Code § 715C.1(11)(a); 2018 IA H.F. 39|
|Louisiana||La. Stat. Ann. § 51:3071-51:3077|
|Nebraska||Neb. Rev. Stat. § 87-803|
|Nevada||Nev. Rev. Stat. § 629.161|
|New Hampshire||2021 NH H.B. 597|
|North Dakota||ND S.B. 2075, effective 8/1/21|
|Ohio||Ohio Rev. Code. § 3965.01|
|Oregon||Or. Rev. Stat. § 646A.604|
|Tennessee||TN H.B. 766 § 1 (effective July 1, 2021)|
|Vermont||Vt. Stat. Ann. 9 § 2430|
|Wyoming||Wyo. Stat. Ann. § 6-3-901; Wyo. Stat. Ann. § 40-12-501|
Of the five states that have enacted biometric privacy legislation, only two allow for a private right of action: Illinois and California. However, recent decisions addressing Illinois’ BIPA provide little clarity and instead are indicative of just how underdeveloped the BIPA legal landscape remains and how many legal questions can be expected to continue surfacing in future litigation (covered separately here). California’s biometric privacy law does not begin to apply to employees’ biometric information until January 1, 2022. Therefore, employers should be cognizant of how they process employees’ personal information and should keep an eye out for further developments and case law interpreting the statute in the years to come.
In addition, of the 27 states with BIPA-modeled legislation pending, only five states—Connecticut, Indiana, Minnesota, Montana and Utah—do not propose a private cause of action, thereby increasing the likelihood of future biometric privacy litigation. Assuming the legislation in those states allowing for a private right of action is enacted, we should expect to see a significant uptick in cases interpreting those statutes. Some of those states’ proposed legislation would allow for the recovery of treble damages (Alaska, North Carolina, Washington) and attorneys’ fees (Alaska, Kentucky, North Carolina, Washington). Indeed, a closer look at Washington’s proposed legislation illustrates the broad reach of pending biometric privacy legislation and potential for significant liability to businesses. Notably, a violation of the statute would “constitute a rebuttable presumption of harm to that individual” and would allow courts to award liquidated “damages of $10,000 per violation or actual damages, whichever is greater,” and punitive damages. 2021 WA H.B. No. 1433. In addition, the Washington statute mandates an award of attorneys’ fees to prevailing plaintiffs. Id. (“courts shall award reasonable attorneys’ fees and costs to any prevailing plaintiff.”) (emphasis added).
Given the ongoing development of biometric privacy legislation and the potential exposure to punitive damages and award of attorneys’ fees, the best practical advice available to any employer or business leveraging technology to identify employees or facilitate customer transactions remains to engage counsel to explore proactive risk management strategies, rather than ending up on the reactive side of allegations of BIPA violations.
1 Action postponed indefinitely; New Mexico has incorporated biometric information into existing personal information protection statute, which is not modeled after BIPA. See NMSA 1978, §§ 57-12C-1 et seq.
2 This legislation expands the remedies available under Washington’s current BIPA-modeled statute.