Amendments expanding the scope of ‘personally identifiable information’ came into force on July 1
COMMENT Data privacy laws in two of the most populous US states have been transformed this year with the California Consumer Privacy Act (CCPA) and New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act coming into force.
Then there’s Illinois’ Biometric Information Privacy Act (BIPA), introduced in 2008 to regulate the growing use of biometric data. Litigants are only required to show “harm” to establish a cognizable claim under BIPA, which allows for statutory damages of between $1,000 and $5,000 for “each violation”.
BIPA has not only become a new class action battleground in the US, it has also become a model for equivalent privacy statutes being devised by other state legislatures.
In addition, many US states are updating and amending their data breach notification laws to provide greater regulation over the use and security of personal information.
One state to recently modify its breach notice statute is Vermont, which – through the passing of Bill S.110 – has made some fairly significant changes to the state’s Security Breach Notice Act, 9 V.S.A. § 2435.
The amendments officially went into effect on July 1, 2020, and highlight the continuing trend of states seeking to regulate business entities’ use of biometric data.
Expanding the scope of PII
Prior to the amendment, Vermont’s data breach notification statute defined ‘personally identifiable information’ (PII) as an individual’s first name or first initial and last name in combination with a Social Security number; driver’s license or other identification card number; financial account number or debit card number; and account passwords, personal identification numbers, or other access codes pertaining to a financial account.
Vermont’s amendments expand the definition of PII to include numbers originating from government identification documents, genetic information, and health or wellness program records.
Significantly, Vermont’s amendments also add biometric data to the statute’s definition of PII, which is characterized as data generated from measurements or technical analysis of human body characteristics used by the owner or data licensee to identify or authenticate the consumer.
This includes data such as fingerprint, retina, or iris images, or other unique physical or digital representation of biometric data.
As a result of the amendments, if biometric data is compromised in a data breach, businesses will now have to satisfy breach notification requirements set out by Vermont’s breach notice statute.
This includes notifying the Vermont Attorney General and publicly posting the company’s breach notice on the Attorney General’s website.
Vermont's new data breach notification law expands the definition of ‘personally identifiable information’
Biometric legal landscape
Biometric technologies have become increasingly sophisticated and diverse, and are used across a widening range of industries.
In response, state legislatures have sought to modernize their privacy laws to address biometric data in several ways.
Arkansas, California, the District of Columbia, New York, and Washington have also taken Vermont’s approach in amending their breach notification laws to expand the definition of ‘personal information’ to include biometric data.
Furthermore, new state consumer privacy laws, such as the CCPA and the SHIELD Act, also include biometric data within the ‘personal information’ category.
The CCPA goes further in requiring that involved entities notify consumers as to how biometric data is used.
It also provides opportunity for a private right of action – such as compensation – if biometric data is subject to a breach event and the company is found to have failed to implement ‘reasonable’ security measures to safeguard such data.
In addition, to combat the risk that biometric data poses – in that once it is compromised, biometric data can no longer be used as a secure identifying feature – several states have enacted new laws that focus directly on regulating the collection and use of biometric data by business entities.
YOU MAY ALSO LIKE EU-US Privacy Shield data-sharing framework declared invalid by ECJ
Illinois’ BIPA, in particular, has attracted headlines on almost a daily basis recently, with a deluge of cases alleging violations in the pipeline.
A number of other states (and some municipalities) have also recently introduced biometric privacy bills that feature private right-of-action provisions which are similar – if not identical – to the BIPA.
It is clear that state legislatures across the US will continue to look for ways to force companies to tighten up their biometric data practices, so we can expect more regulation to emerge in the coming years.
For any companies gathering and using biometric data, then, it is imperative to devote the necessary time, effort, and resources to safeguard this data, and be agile in adapting to a rapidly evolving legal landscape.