The Maryland legislature introduced House Bill 33: Biometric Data Privacy Act (the Act). The Act defines “Biometric data” as data generated by automatic measurements of the biological characteristics of an individual, such as a fingerprint, a voiceprint, an eye retina, an eye iris, or any other unique biological patterns or characteristics, that is used to identify a specific individual. Not included is a physical or digital photograph, a video or audio recording, or information collected, used, or stored for health care treatment, payment, or operations under the Federal Health Insurance Portability and Accountability Act (HIPAA).
Depending on the circumstances, the Act may require that a private entity in possession of biometric data develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric data. Public availability of the written policy may not be required if the policy applies only to the employees of the private entity and is used solely for internal company operations.
Moreover, the private entity must protect biometric data as much as, if not more than, it protects and stores other confidential and sensitive information such as social security numbers. It may not sell, lease, or trade an individual’s biometric data, nor may it condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric data unless it is strictly necessary to provide the service, nor may the private entity charge more to someone exercising their rights under this Act. A private entity that collected biometric data may not collect, use, disclose, redisclose, or otherwise disseminate an individual’s biometric data unless the individual or her legally authorized representative gives consent to the particular category or if the disclosure or redisclosure is required by valid warrant or subpoena or to comply with federal, state, or local laws, regulations, or rules. However, a private entity may collect, use, disclose, redisclose, or otherwise disseminate an individual’s biometric data if the private entity does so for fraud prevention or security purposes, and posts conspicuously written notice of the collection of biometric data at each point of entry of the facility.
If a private entity uses a processor to process or store biometric data, the entity may not allow the processor to collect, store, process, use, disclose, or take any action for monetary consideration on or with the biometric data of an individual except for purposes for which the private entity received consent from the individual.
Several states have biometric data privacy laws on their books, and even more have pending legislation concerning such. Most notably, Illinois has what is considered the most comprehensive law and litigation surrounding their statute has expanded the ability of the individual to recover for a company’s violation of the biometric privacy act. In 2019, the Illinois Supreme Court held in Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186 (2019) that a plaintiff can be considered an “aggrieved person” under the statute and entitled to statutory damages without alleging an actual injury. In 2023, in Cothron v. White Castle System, Inc., 2023 IL 128004 (2023), the Illinois Supreme Court clarified that claims accrue each time biometric data is unlawfully collected or disclosed.
While at this point we do not know what the future holds in Maryland, the trend of biometric data privacy laws, protecting both customers and employees, shows companies should be prepared to evaluate when, where, and why biometric data is collected, used, stored and protected.