Companies are becoming increasingly aware of the reach of biometric privacy laws, which are designed to protect an individual‘s biometric identifiers or biometric information (“biometric data”), such as fingerprints, voiceprints, hand scans, and face geometry. Since the Illinois Biometric Information Privacy Act (“BIPA”) became effective in 2008, a number of states have passed or are considering [1] similar laws protecting such biometric data.
Continue Reading Biometric Data Protection Laws – Coming to a Jurisdiction Near You

On January 6, 2021, the proposed Biometric Privacy Act (the “Act”) was introduced to the New York State legislature.  If adopted as drafted, the Act will require:

  • Any private entity that “possesses”¹ any biometric identifiers and/or information² (or “biometric data”) must have a written policy, publicly available³, establishing its retention and destruction schedule, as well as a secure means of destroying the data on the sooner of (i) when no longer needed for its original purpose of collection or (ii) after three years from the private entity’s interaction with the person providing the data.
  • A private entity cannot acquire, collect, trade, store, purchase or capture biometric data, whether from the person themselves or a third party unless the entity first:
    • Informs the subject that their data is being so collected, stored, captured, purchased and/or traded
    • Informs the subject of the underlying legal purpose the data is being collected, stored and/or used
    • Receives a written release4 from the person or their legal representative.

To be clear, this will apply whether the data is collected from an employee (consider a biometric time clock) or a customer (think thumb prints used at amusement parks and to unlock devices).

Further, the draft legislation proscribes
Continue Reading First, There Was The New York Shield Act, and Now… The New York Biometric Privacy Act?

In the continuing void at the federal level, more and more states are being proactive in adopting legislation that seeks to protect US residents’ personal data, and to impose stricter guidelines on companies that experience a data breach.

Although Washington State did not pass its previously pending bill that would have been more stringent on

The time for businesses to wait until they are breached to respond to data vulnerabilities is coming to an end.  While 50 states have breach notification statutes (reactive legislation), more than 25 states have now adopted some form of proactive legislation requiring companies to take “some” measures to protect the personally identifiable information they collect,