{"id":478,"date":"2022-05-27T11:01:18","date_gmt":"2022-05-27T15:01:18","guid":{"rendered":"https:\/\/pbacyber.com\/?p=478"},"modified":"2022-05-27T12:08:00","modified_gmt":"2022-05-27T16:08:00","slug":"current-status-of-biometrics-data-protections-within-and-beyond-pennsylvania","status":"publish","type":"post","link":"https:\/\/pbacyber.com\/index.php\/2022\/05\/27\/current-status-of-biometrics-data-protections-within-and-beyond-pennsylvania\/","title":{"rendered":"Current Status of Biometrics Data Protections Within and Beyond Pennsylvania"},"content":{"rendered":"

The Cyberlaw Update 2022<\/a> CLE program, held on April 25, 2022, included a presentation on biometrics data protections. With countless examples of biometrics scandals and settlements appearing in the news but little guidance for Pennsylvania attorneys, it seemed appropriate to provide a blog post on the topic for general consumption as well.<\/p>\n

 <\/p>\n

Biometrics<\/a> can be defined in a non-technical way as the measurement and analysis of human physical or behavioral characteristics, mainly for identification purposes. There are many types of biometrics, including fingerprints, palm prints, footprints, faceprints, iris and retinal patterns, ear geometry, DNA prints, body odor signatures, voice prints, signature dynamics, keystroke dynamics, gait patterns and more. Recent survey studies of US adult perspectives<\/a> have shown that views on biometrics and privacy perspectives are nuanced, with information about the type of biometric, the particular use case or application in society, and the actor involved (e.g., a governmental or non-governmental entity) all being relevant considerations. Biometrics data protection and biometric information privacy laws must be careful to take these nuances into account, which is not an easy task to accomplish.<\/p>\n

 <\/p>\n

An Absence of Specific Biometrics Laws in Pennsylvania\u2026for Now<\/strong>
\nSimply put, currently in Pennsylvania there is neither a specific state law nor a specific federal law offering biometrics data protections or biometrics information privacy. However, Pennsylvania attorneys must be aware of laws elsewhere to advise clients appropriately. Lack of a specific law should not be taken as a sign that clients in Pennsylvania are able to do what they want with biometrics without any restrictions whatsoever. Other states do have laws that could be implicated, and Pennsylvania businesses and entities can run afoul of them if not paying attention to biometrics uses that involve individuals from states that have adopted specific biometrics laws or general data protection laws encompassing biometrics data. Additionally, general federal statutes\u2014such as Section 5 of the Federal Trade Commission Act (15 USC \u00a7 45<\/a>)\u2014can also impose reasonable data practice obligations, including those involving biometrics, on Pennsylvania businesses.<\/p>\n

 <\/p>\n

Other States with Laws on Biometrics<\/strong>
\nThere are three notable states with biometrics laws, and these include the Illinois Biometric Information Privacy Act or \u201cBIPA\u201d (740 ILCS 14\/1 et seq.<\/a>), the Texas Capture and Use of Biometric Identifier Act or \u201cCUBI\u201d (Tex. Bus. & Com. Code Ann. \u00a7 503.001<\/a>), and the Washington Biometric Privacy Act (Wash. Rev. Code \u00a7\u00a7 19.375.010 et seq.<\/a>). BIPA has received the most attention, attributable mainly to its strong enforcement through a private right of action. Several other states have been considering passage of specific biometrics laws recently as well, including Maryland (H.B. 259\/S.B. 335<\/a>), Massachusetts (S.220<\/a>), New York (A.27<\/a>), and West Virginia (H.B. 2064<\/a>).<\/p>\n

 <\/p>\n

States that have recently enacted general or comprehensive data protections<\/a> also are relevant for biometrics. These include the California Consumer Privacy Act and the California Privacy Rights Act (Cal. Civ. Code \u00a7 1798.100 et seq.<\/a>), Colorado Privacy Act (S.B.21-190<\/a>), Virginia Consumer Data Protection Act (Code of Virginia \u00a7 59.1-571 through 59.1-581<\/a>) and the Utah Consumer Privacy Act (S.B.227<\/a>). The California law is arguably the most protective of biometrics, defining \u201cpersonal information\u201d as including \u201cbiometric information,\u201d a term in further defines quite comprehensively and in such a way that raw biometric data and source materials (such as photographs and other sources \u201cfrom which an identifier template\u2026can be extracted\u201d) are within scope.<\/p>\n

 <\/p>\n

Legislative Activity in Pennsylvania to Watch<\/strong>
\nWhile the Pennsylvania General Assembly has not been prioritizing biometrics, there are several bills that would implicate biometrics data protections or information privacy rights. These include the Consumer Data Protection Act (H.B. 2257<\/a>, introduced by Rep. Kenyatta on 1\/20\/2022) that defines \u201cbiometric data\u201d; the Consumer Privacy Act (H.B. 2202<\/a>, introduced by Rep. Mercuri on 12\/13\/21) that defines \u201cbiometric information\u201d; the Consumer Data Privacy Act (H.B. 1126<\/a>, introduced by Rep. Neilson on 4\/7\/2021) that defines \u201cpersonal information\u201d as including, but not providing a definition for, \u201cbiometric information\u201d; Amending the breach of personal information notification act (S.B. 608<\/a>, introduced by Sen. Phillips-Hill on 4\/27\/2021) that defines \u201cpersonal information\u201d to include \u201cunique biometric data\u201d); and the Student Data Privacy and Protection Act (S.B. 37<\/a>, introduced by Sen. Phillips-Hill on 1\/20\/2021), which defines \u201cbiometric identifier.\u201d While nuance and context-specificity is often justifiable when designing biometric data protection policy, there is little indication that recent legislative activity involves deliberate decisions about choice of terminology following careful consideration and debate regarding the intended scope and strength of protections to be offered in specific societal applications of biometrics (e.g., biometric data, information, and identifiers are not synonymous or offer identical protections).<\/p>\n

 <\/p>\n

Federal Legislative Activity to Watch<\/strong>
\nMore than 200 unique bills were introduced in the 116th Congress related to biometrics deploying a wide range of terminology and obligations. The most notable bill on point has been the National Biometric Information Privacy Act of 2020 (S.4400<\/a>, introduced 08\/03\/2020), sponsored by Sen. Merkley (D-OR) and Sen. Sanders (I-VT). While the bill has not been re-introduced, it would have applied to private but not governmental actors and would have covered a wide range of \u201cbiometric identifiers\u201d although not the underlying raw biometric data or source materials). Several bills were also introduced in the 117th Congress, but none of these were comprehensive in terms of types of biometrics or societal applications covered. While it seems unlikely that federal biometrics legislation will pass in 2022, it is important to keep an eye on biometrics within the broader context of policy discussions regarding privacy law reforms.<\/p>\n

 <\/p>\n

Attention to Detail is Essential When Interpreting Biometrics Laws<\/strong>
\nWhen advising clients considering use of biometrics, it is critical to review the applicability of these laws and the obligations they might impose. Biometric laws are tricky, and attorneys need to be very mindful of terminology and variations in the definitions for each statute\u2019s scope of protections provided and obligations imposed. Carveouts, exceptions and exemptions vary at both the data level (e.g., sometimes protecting some types of biometrics but not others) and entity level (e.g., sometimes applying or not applying to governmental agencies and law enforcement, commercial entities, educational institutions, healthcare organizations, and others). Moreover, in the absence of federal and state laws directly on point, it is also important to perform due diligence to ensure there are no applicable local ordinances for biometrics (e.g., ordinances similar to New York City\u2019s Tenant Data Privacy Act<\/a> or Biometric Identifier Information Ordinance<\/a> or Portland, Oregon\u2019s ban on facial recognition<\/a> by commercial entities or governmental actors).<\/p>\n

 <\/p>\n

Jennifer K. Wagner, J.D., Ph.D., is a solo practicing attorney and also is Assistant Professor of Law, Policy and Engineering at the Pennsylvania State University. She has been a member of the PBA Cybersecurity & Data Privacy Committee since 2018, is a former contributing editor of the Genomics Law Report and has published scholarly articles in prominent legal and scientific journals, including the Journal of Law & Biosciences; Journal of Law, Medicine, & Ethics; Albany Law Journal of Science & Technology; Virginia Sports and Entertainment Law Journal; North Carolina Journal of Law and Technology; Science; Nature Communications; Nature Medicine; American Journal of Human Genetics; Human Genetics and Genomics Advances; Genetics in Medicine; and PLOS Genetics. She served as a AAAS Congressional Fellow in a U.S. Senator\u2019s office in 2014-2015, and her work has been cited by the Supreme Court of the United States. You may follow her on Twitter as @DNAlawyer. Views expressed are her own.<\/p>\n","protected":false},"excerpt":{"rendered":"

The Cyberlaw Update 2022 CLE program, held on April 25, 2022, included a presentation on biometrics data protections. With countless examples of biometrics scandals and settlements appearing in the news but little guidance for Pennsylvania attorneys, it seemed appropriate to provide a blog post on the topic for general consumption as well.   Biometrics can
Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,4],"tags":[],"_links":{"self":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/478"}],"collection":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/comments?post=478"}],"version-history":[{"count":7,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/478\/revisions"}],"predecessor-version":[{"id":490,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/posts\/478\/revisions\/490"}],"wp:attachment":[{"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/media?parent=478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/categories?post=478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pbacyber.com\/index.php\/wp-json\/wp\/v2\/tags?post=478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}