Targeted biometric privacy proposals fail in US state legislatures

Convincing US states to pass consumer privacy legislation is no easy task, as legislators across the country can attest.

Enacting state laws aimed specifically at regulating how businesses collect biometric information, including voice recordings, fingerprints and face scans, is even harder.

Legislators in more than a dozen US states introduced biometric-specific privacy bills this year. None of the proposals have passed, and only a few made it out of the committee where they were introduced.

State biometric privacy bills have died this year in California, Colorado, Kentucky, Maryland, South Carolina, Texas, Vermont, Washington and West Virginia.

Industry lobbyists pushed back hard on the targeted bills because there’s a lot of money to be made from the technologies. The global market for biometrics is expected to hit $44 billion by 2026, according to a recent study from Global Industry Analysts.

But along with profit margins, concerns over misuse of this highly sensitive personal information are growing, fueling government investigations, eye-popping class-action settlements and plenty of regulatory woes.

Copying Illinois

The solution, state legislators have said, is to follow Illinois’ example. Many of the state biometric proposals are modeled after the 2008 Illinois Biometric Information Privacy Act. BIPA requires companies to tell residents in writing when their biometric data is collected or stored, and they must obtain a written release to collect, store or use that data.

BIPA also contains a private right of action. Illinois residents can sue for damages under BIPA that can add up quickly. The law provides for uncapped statutory damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.

Most of the state biometric bills proposed this year generally would have instructed businesses to track the collection of biometric information or biometric identifiers, and get employees or consumers to consent before that collection.

A point of contention

Most of the BIPA-styled bills contain a private right of action. Not surprisingly, a key point of contention in states considering copycat legislation has been granting consumers the right to sue.

Opponents have said Illinois is a blueprint of what can go wrong when state legislatures do. Thanks to BIPA, they say, Illinois has become a “Wild West” for class-action litigation, which primarily benefits attorneys, not consumers. That’s also something Illinois state lawmakers never intended when they passed BIPA, opponents have argued.

For years, the litigation risk from BIPA for companies was low. But in 2019 the Illinois Supreme Court held that a mere violation of BIPA was enough to confer standing to sue in court. Residents don't need to allege that they suffered any subsequent injury or harm to obtain damages.

Since then, putative class actions filed under BIPA in Illinois state court and US federal court have risen sharply, with more than 850 BIPA class actions brought in Illinois alone.

The lawsuits have resulted in some noteworthy settlements with tech companies and even changed their business practices. Last year, Facebook agreed to a record $650 million to settle claims that its facial-recognition tools violated BIPA, and chose to shut down its decades-old facial-recognition system.

State lawmakers insist their constituents should be entitled the same relief as Illinois residents when companies collect their facial prints or fingerprints without notice or consent.

Backlash against BIPA

But the wave of litigation in Illinois has led to several efforts to roll back or amend the rights BIPA provides. Conservative state legislators in Illinois introduced more than a dozen proposals this year aimed at narrowing BIPA or repealing it entirely.

Those bills met with stiff resistance from hundreds of individuals and privacy groups testifying in support of BIPA, and failed to gain traction.

There’s still a glimmer of hope for a few BIPA-style bills pending in states such as Massachusetts, New York and New Jersey in the middle of two-year legislative sessions.

A committee hearing was held on the Massachusetts proposal in mid-October, along with 39 other bills related to data use, data privacy and broadband access. The bill, however, hasn’t moved forward since then.