The Cyberlaw Update 2022 CLE program, held on April 25, 2022, included a presentation on biometrics data protections. With countless examples of biometrics scandals and settlements appearing in the news but little guidance for Pennsylvania attorneys, it seemed appropriate to provide a blog post on the topic for general consumption as well.
Biometrics can be defined in a non-technical way as the measurement and analysis of human physical or behavioral characteristics, mainly for identification purposes. There are many types of biometrics, including fingerprints, palm prints, footprints, faceprints, iris and retinal patterns, ear geometry, DNA prints, body odor signatures, voice prints, signature dynamics, keystroke dynamics, gait patterns and more. Recent survey studies of US adult perspectives have shown that views on biometrics and privacy perspectives are nuanced, with information about the type of biometric, the particular use case or application in society, and the actor involved (e.g., a governmental or non-governmental entity) all being relevant considerations. Biometrics data protection and biometric information privacy laws must be careful to take these nuances into account, which is not an easy task to accomplish.
An Absence of Specific Biometrics Laws in Pennsylvania…for Now
Simply put, currently in Pennsylvania there is neither a specific state law nor a specific federal law offering biometrics data protections or biometrics information privacy. However, Pennsylvania attorneys must be aware of laws elsewhere to advise clients appropriately. Lack of a specific law should not be taken as a sign that clients in Pennsylvania are able to do what they want with biometrics without any restrictions whatsoever. Other states do have laws that could be implicated, and Pennsylvania businesses and entities can run afoul of them if not paying attention to biometrics uses that involve individuals from states that have adopted specific biometrics laws or general data protection laws encompassing biometrics data. Additionally, general federal statutes—such as Section 5 of the Federal Trade Commission Act (15 USC § 45)—can also impose reasonable data practice obligations, including those involving biometrics, on Pennsylvania businesses.
Other States with Laws on Biometrics
There are three notable states with biometrics laws, and these include the Illinois Biometric Information Privacy Act or “BIPA” (740 ILCS 14/1 et seq.), the Texas Capture and Use of Biometric Identifier Act or “CUBI” (Tex. Bus. & Com. Code Ann. § 503.001), and the Washington Biometric Privacy Act (Wash. Rev. Code §§ 19.375.010 et seq.). BIPA has received the most attention, attributable mainly to its strong enforcement through a private right of action. Several other states have been considering passage of specific biometrics laws recently as well, including Maryland (H.B. 259/S.B. 335), Massachusetts (S.220), New York (A.27), and West Virginia (H.B. 2064).
States that have recently enacted general or comprehensive data protections also are relevant for biometrics. These include the California Consumer Privacy Act and the California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.), Colorado Privacy Act (S.B.21-190), Virginia Consumer Data Protection Act (Code of Virginia § 59.1-571 through 59.1-581) and the Utah Consumer Privacy Act (S.B.227). The California law is arguably the most protective of biometrics, defining “personal information” as including “biometric information,” a term in further defines quite comprehensively and in such a way that raw biometric data and source materials (such as photographs and other sources “from which an identifier template…can be extracted”) are within scope.
Legislative Activity in Pennsylvania to Watch
While the Pennsylvania General Assembly has not been prioritizing biometrics, there are several bills that would implicate biometrics data protections or information privacy rights. These include the Consumer Data Protection Act (H.B. 2257, introduced by Rep. Kenyatta on 1/20/2022) that defines “biometric data”; the Consumer Privacy Act (H.B. 2202, introduced by Rep. Mercuri on 12/13/21) that defines “biometric information”; the Consumer Data Privacy Act (H.B. 1126, introduced by Rep. Neilson on 4/7/2021) that defines “personal information” as including, but not providing a definition for, “biometric information”; Amending the breach of personal information notification act (S.B. 608, introduced by Sen. Phillips-Hill on 4/27/2021) that defines “personal information” to include “unique biometric data”); and the Student Data Privacy and Protection Act (S.B. 37, introduced by Sen. Phillips-Hill on 1/20/2021), which defines “biometric identifier.” While nuance and context-specificity is often justifiable when designing biometric data protection policy, there is little indication that recent legislative activity involves deliberate decisions about choice of terminology following careful consideration and debate regarding the intended scope and strength of protections to be offered in specific societal applications of biometrics (e.g., biometric data, information, and identifiers are not synonymous or offer identical protections).
Federal Legislative Activity to Watch
More than 200 unique bills were introduced in the 116th Congress related to biometrics deploying a wide range of terminology and obligations. The most notable bill on point has been the National Biometric Information Privacy Act of 2020 (S.4400, introduced 08/03/2020), sponsored by Sen. Merkley (D-OR) and Sen. Sanders (I-VT). While the bill has not been re-introduced, it would have applied to private but not governmental actors and would have covered a wide range of “biometric identifiers” although not the underlying raw biometric data or source materials). Several bills were also introduced in the 117th Congress, but none of these were comprehensive in terms of types of biometrics or societal applications covered. While it seems unlikely that federal biometrics legislation will pass in 2022, it is important to keep an eye on biometrics within the broader context of policy discussions regarding privacy law reforms.
Attention to Detail is Essential When Interpreting Biometrics Laws
When advising clients considering use of biometrics, it is critical to review the applicability of these laws and the obligations they might impose. Biometric laws are tricky, and attorneys need to be very mindful of terminology and variations in the definitions for each statute’s scope of protections provided and obligations imposed. Carveouts, exceptions and exemptions vary at both the data level (e.g., sometimes protecting some types of biometrics but not others) and entity level (e.g., sometimes applying or not applying to governmental agencies and law enforcement, commercial entities, educational institutions, healthcare organizations, and others). Moreover, in the absence of federal and state laws directly on point, it is also important to perform due diligence to ensure there are no applicable local ordinances for biometrics (e.g., ordinances similar to New York City’s Tenant Data Privacy Act or Biometric Identifier Information Ordinance or Portland, Oregon’s ban on facial recognition by commercial entities or governmental actors).
Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy and Engineering at the Pennsylvania State University. She has been a member of the PBA Cybersecurity & Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator’s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.