LexisNexis: States using biometrics in data privacy battle
08 August 2019 16:09 GMT

According to the LexisNexis State Net legislative database, at least 24 states and Congress this year considered measures to implement new or amend current data breach notification laws. At least nine so far have passed, with bills still pending in several states.

In a statement on its website, the firms said that while many of those measure focus on notification requirements for companies or government agencies that suffer a breach, there has also been a growing emphasis on broadening what actually constitutes data that must be protected, and specifically consumers’ biometric data.

Biometric data consists of the identifying characteristics of a person’s body or mind, broken down into two main categories. Physiological biometrics pertain to the body, from DNA, retinal scans and fingerprints to something like the shape of a person’s hand or face or the sound of their voice. Behavioral biometrics encompass a person’s specific movements and actions – such as the gait of their walk – and even thought patterns, like how they solve complex analytical problems.

Prior to this year, only Illinois, Texas and Washington had comprehensive laws regarding the care of biometric data. According to the National Conference of State Legislatures – which uses LexisNexis State Net tracking tools - at least 26 states this year weighed bills that deal specifically with the collection, retention and use of biometric data. Measures in three of those states, Arkansas, New York and Washington, have been signed into law, with several bills still pending in California, Minnesota, New Hampshire, Massachusetts, New York, New Jersey, Washington and Rhode Island (see Bird’s Eye View in this issue).

Cities have also started to take action on their own. This year, San Francisco became the first city in the country to ban the use of facial recognition programs by local governments. The law was quickly adopted across the Bay in Oakland and across the nation in Somerville, Massachusetts. Berkeley, California is also considering a ban.

In addition to imposing several new breach reporting requirements, the bill Arkansas Gov. Asa Hutchinson (R) signed in April (HB 1943) adds biometric data to the law’s definition of personally identifiable information (PII). The new rules go into effect on August 9. The following month, Washington Gov. Jay Inslee (D) inked his signature on HB 1071, which amends the Evergreen State’s data breach law to include several new types of personal identifiable information, including biometric data.

Industry Events