Client Alert: Maryland Considers Adoption of Biometric Data Privacy Act
Date: February 23. 2023
With some exceptions, all private entities, broadly defined in HB 33 to include “any individual, partnership, corporation, limited liability company, association, or other group,” would be subject to the Biometric Act’s requirements. HB 33 defines “biometric data” as:
“… data generated by automatic measurements of the biological characteristics of an individual, such as a fingerprint, a voiceprint, an eye retina, an eye iris, or any other unique biological patterns or characteristics, that is used to identify a specific individual.”
Both physical and digital photographs, as well as video and audio recordings, are excluded from the definition of biometric data.
If passed into law, the Biometric Act would require each private entity which collects or uses biometric data to develop and implement written policies establishing retention schedules and guidelines for permanently destroying biometric data on the earliest to occur of (i) the date on which the initial purpose for collecting the biometric data has been satisfied, (ii) within 3 years after an individual’s last interaction with the private entity, or (iii) 30 days after the private entity receives a request from an individual to delete their biometric data. The Biometric Act, would also require entities which collect or use biometric data to implement safeguards to prevent unauthorized and unintended disclosures of biometric data, both in storage and in transit. Upon receiving requests from individuals, those private entities would be required to disclose, free of charge, the categories of individuals’ biometric data which they possess and the purposes for which the biometric data is used.
Absent individuals’ express, unambiguous and informed consent, HB 33 would prevent private entities from collecting, using, disclosing, redisclosing or otherwise disseminating biometric data. The law would include exceptions allowing private entities to (i) comply with valid warrants, subpoenas and other applicable laws and (ii) cooperate with law enforcement. If adopted, HB 33 would generally prevent the sale, leasing or trade of individuals’ biometric data. Private entities that contract with processors to collect, store or process biometric data would be obliged to prohibit the processors from taking any action with such data beyond the consented-to purpose for which the data was collected.
Violations of the Biometric Act would be deemed unfair, abusive or deceptive trade practices subject to enforcement by the Maryland Attorney General and, in some cases, by lawsuits by private individuals.
Last, but not least, it is notable that HB 33 is loosely modeled after the Illinois Biometric Information Privacy Act, which was enacted about 15 years ago and has been the subject of extensive and costly litigation. So, observers like Whiteford will be watching with interest as to whether this bill, if passed, ultimately includes changes intended to address lessons learned from the Illinois version of the bill.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.