The rise of Big Data and the development of tools to interpret massive data sets to better understand consumer behavior have led to booming demand for consumers’ personal information. Technological advances have also made biometric data, such as fingerprints and facial features, useful security tools for electronic devices. The growing use of Big Data and biometric data has caused some concern among consumers and policymakers. In response, several state legislatures have taken steps to regulate companies’ ability to acquire personal and biometric data.
In Massachusetts, for instance, four state senators introduced a bill (S.D 341) in late January that would require companies to refrain from collecting personal and biometric data absent express consent from the affected consumer. Under the proposal, consumers could request a copy of their personal data that has been collected, restrict disclosure of their data to third parties, and even require the business to delete their data. The bill also contemplates granting consumers a private right of action to obtain the greater of actual damages or $750 per incident, injunctive or declaratory relief, and reasonable attorneys’ fees. Notably, the bill would expressly confer standing to sue regardless of whether the unauthorized biometric data collected caused actual harm.
Massachusetts is not the first state to consider such a law. Illinois, for example, enacted the Biometric Information Privacy Act (“BIPA”) in 2008. Under the BIPA, companies are required to notify a consumer before they collect biometric data. It also mandates companies to take reasonable care in safeguarding such data, limits retention of such data to the purpose for which it was collected, and restricts the sale and disclosure of biometric data. The BIPA grants consumers a private right of action.
Texas and Washington have also enacted laws governing the collection of biometric data, but those state’s laws do not provide for a private right of action. Other states in addition to Massachusetts—such as New York, North Carolina, and Wisconsin—have implemented data breach notification requirements, but those states have not yet regulated the collection of biometric data. As collection of personal and biometric data becomes more important to a variety of industries, those industries should anticipate the states, and, potentially, Congress will enact laws similar to BIPA or the proposed SD 341.