- The Florida state legislature is currently considering two bills that address biometric information privacy, one introduced by State Rep. Bobby DuBose and another from State Sen. Gary Farmer, Jr.
SB 1270 and HB 1153 are both designed to establish requirements and restrictions on private businesses for the use, collection, and maintenance of biometric identifiers and biometric data. Further, the bills would create a private cause of action for businesses that violate the law.
Both bills feature similar language and mirror language from Illinois’ Biometric Information Privacy Act, which provides individuals with statutory damages for businesses that are negligent, or intentionally violate the law. The Illinois Supreme Court recently ruled that an individual does not need to prove actual harm to bring a claim for statutory damages in the event of a breach.
Florida’s version defines biometric identifiers, as iris or retina scans, fingerprints, voice prints, or face scans. It does not include writing samples, signatures, photographs, or human biological samples, nor does it include HIPAA-covered elements, such as patient data collected in the healthcare setting.
“‘Biometric information’ means any information, regardless of the manner in which it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual,” the bill authors wrote.
Under the proposal, a private entity in possession of biometric data or identifiers must develop a publicly available, written policy that outlines its retention schedule and guidelines for permanently destroying biometrics “upon satisfaction of the initial purpose for collecting or obtaining such identifiers” or within three years of the last interaction with the individual, whichever comes first.
Further, the bill prohibits businesses from collecting, capturing, or purchasing an individual’s biometric identifier or data without authorization or notice, as well as barring those companies from selling, leasing, trading, or profiting from a customer’s biometrics.
Companies found negligent of the law would be required to pay up to $1,000 in liquidated damages or actual damages, whatever amount is higher. Those companies that intentionally violate the law would be mandated to pay $5,000 in liquidated damages, or actual damages, whichever amount is greater.
The Senate bill was recently brought to the Judiciary Committee, the Rule Committee, and the Innovation, Industry, and Technology Committee, while the House version was referred to the Commerce Committee, the Civil Justice Subcommittee, and the Business and Professions Subcommittee.
If enacted, Florida’s biometric data privacy bill would take effect in October 2019.
Washington Senate Passes Data Privacy Legislation
Last week, the Washington State Senate passed a data privacy protections package, which would give consumers the right to delete their data held by private businesses.
If passed by the State House, the legislation would require businesses that control or process identifiable data of more than 100,000 individuals to let its consumers see what data is stored about them, in addition to allowing them to correct mistakes or request the record to be deleted.
The Centers for Democracy & Technology recently proposed a national data privacy bill with similar language, allowing consumers the right to dispute the accuracy of their patient health information and provide transparency into where their data is located.
Washington’s proposed bill will also create requirements for facial recognition technology within the state, mandating those businesses post signs when the tech is in use. And decisions based on facial matches must be reviewed by a human. State agencies would be restricted form using the tech without a warrant.
The proposal passed the State Senate 46-1 and now moves to the State House for consideration.
Currently, Congress is weighing a federal, unified data privacy law that would potentially repeal the patchwork of these state data laws. However, Republicans and Democrats have staunchly different views as to what that legislation would look like.
As a result, many states have ramped up enforcement efforts around privacy breaches and have been steadily working to enact state data privacy laws. California has one of the strictest data privacy laws and recently moved to close gaps in its breach notification requirements, while North Carolina is considering shortening the data breach notification timeline to just 30 days.