Pending legislation could create new consumer privacy rights in Massachusetts. Earlier this year, Senator Cynthia Creem presented An Act Relative to Consumer Data Privacy in the Massachusetts Senate. This Consumer Privacy Bill, SD.341, combines key aspects of the California Consumer Privacy Act (CCPA) and Illinois’s Biometric Information Privacy Act (BIPA). This bill would allow Massachusetts consumers a private right of action if their personal information or biometric information (referred to separately in the bill) is improperly collected.

The Consumer Privacy Bill defines “biometric information” as an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

The bill defines “personal information” as any information relating to an identified or identifiable consumer. “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.

However, this definition does not include publicly available information or consumer information that is deidentified or aggregate consumer information. Moreover, the bill creates an exception for a business collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer. Therefore unlike California’s CCPA, where the application to employee data remains an open question, under the current text of the Massachusetts bill it is pretty clear that the law would not apply to employee data as defined above. That said, it is still early in the legislative process and the bill could be revised to include employee data.

The pending legislation would require businesses collecting a Massachusetts consumer’s personal information to notify the consumer of the following rights before the point of collection:

(1) The categories of personal information it will collect about that consumer;

(2) The business purposes for which the categories of personal information shall be used;

(3) The categories of third parties with whom the business discloses personal information;

(4) The business purpose for third party disclosure; and

(5) The consumer’s rights to request:

                  (A) A copy of the consumer’s personal information;

                  (B) The deletion of the consumer’s personal information; and

                  (C) Opt-out of third party disclosure.

In addition to this notice requirement, the bill would give consumers a statutory right to request that businesses collecting their personal information disclose to the consumer:

(1) The specific pieces of personal information the business has collected about that consumer;

(2) The sources from which the consumer’s personal information was collected;

(3) The names of third parties to whom the business disclosed the consumer’s personal information; and

(4) The business purpose for third party disclosure.

Businesses would have to make available to consumers two or more designated methods for submitting consumer verified requests for personal information, including, if the business maintains a web site, a link on the home page of the web site. A business receiving a verifiable consumer request generally must provide the requested information within 45 days of receiving the request, but may extend that period once by an additional 45 days, so long as the request for the extension is provided within the first 45-day period. The proposed legislation also creates a consumer right to request that a business delete any personal information collected from the consumer, and the right to opt out of third party disclosure at any time.

The legislation would be enforceable both through a private right of action and by the Massachusetts Attorney General. A consumer could recover damages in an amount not greater than $750 per consumer per incident or actual damages, whichever is greater (for any violation of the act); (2) injunctive or declaratory relief, and (3) reasonable attorney fees and costs. The Attorney General would be authorized to obtain a temporary restraining order or preliminary or permanent injunction against a violation of the Act. In addition, the Attorney General may seek a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.

This Consumer Privacy Bill would impose administrative burdens on businesses, including an obligation to train employees, as well as creating new exposure to damages and penalties. Given the litigation we are seeing under BIPA, businesses collecting Massachusetts consumers’ personal information should monitor the progress of this legislation to determine whether they should begin preparations for complying with yet another consumer privacy provision.

 

In 2018, Delta paved the way in airport terminal development, by introducing the first biometric terminal at the Hartsfield-Jackson Atlanta International Airport where passengers can use facial recognition technology from curb to gate. Delta now offers members of its Sky Club airport lounges to enter using fingerprints rather than a membership card or boarding pass. Other airlines use biometric data to verify travelers during the boarding process with a photo-capture. The photograph is then matched through biometric facial recognition technology to photos that were previously taken of the passengers for their passports, visas, or other government documentation.

Though the use of a fingerprint or facial scan aims to streamline and expedite the travel process and strengthen the security of air travel, it also presents heightened security risks for biometric data on a larger sale. As the use of biometric data increases, the more expansive the effects of the data breach becomes. While it’s possible to change a financial account number, a driver’s license number or even your social security number, you can’t change your fingerprint or your face, easily anyway. Furthermore, in the past, facial recognition software had not been able to accurately identify people of color, raising concerns that individuals may be racially profiled.

Yet, many argue that biometric-based technologies can be used to help solve vexing security and logistics challenges concerning travel. For example, in 2016, Congress authorized up to $1 billion collected from certain visa fees to fund implementation of biometric-based exit technology. That was followed by President Trump’s executive order signed in March 2017 directing the Department of Homeland Security to expedite implementation of biometric entry-exit tracking system for all travelers to the United States. As it stands, we are likely to see a rapid expansion of biometric technology used by airlines and other businesses in the travel industry, so prepare your picture perfect travel face!

Notably, the use of biometric data is growing across all industries and in a variety of different applications – e.g., premises security, time management, systems access management. But, so is the number of state laws intending to protect that data. States such as Illinois, Texas, and Washington are leading the way with others sure to follow. Regulations include notice and consent requirements, mandates to safeguard biometric information, and obligations notify individuals in the event biometric information is breached. And, litigation is increasing. The Illinois Supreme Court recently handed down a significant decision, for example, concerning the ability of individuals to bring suit under the Illinois Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA. The decision is likely to increase the already significant number of suits, including putative class actions, filed under the BIPA.

Companies, regardless of industry, should be reevaluating their biometric use practices, and taking steps to comply with a growing body of law surrounding this sensitive information.

Earlier today, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act.  Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act.  To date, no Illinois court has interpreted the meaning of “per violation,” but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.

If they have not already done so, companies should immediately take steps to comply with the statute. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BIPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.  For additional information on complying with the BIPA, please see our BIPA FAQs.

Companies were hoping that the Illinois Supreme Court would ultimately conclude, consistent with the underlying appellate decision, that in order for a plaintiff to bring a claim under the BIPA (i.e. in order for the plaintiff to be considered “aggrieved”) the plaintiff would have to allege actual harm or injury, and not just a procedural or technical violation of the statute.  In reversing and remanding the case, the Illinois Supreme Court held:

The duties imposed on private entities by section 15 of the Act (740 ILCS 14/15) regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Consistent with the authority cited above, such a person or customer would clearly be “aggrieved” within the meaning of section 20 of the Act (740 ILCS 14/20) and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.

The decision is likely to increase the already significant number of suits, including putative class actions, filed under the BIPA.  In the words of the Illinois Supreme Court, “[c]ompliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced.”

An Illinois nursing home is facing a putative class action lawsuit filed by a worker who argues that the facility’s required fingerprint scan for timekeeping poses a threat to their privacy, and violates Illinois’s Biometric Information Privacy Act (“BIPA”). From July 2017 to October 2017, at least 26 employment class actions based on the BIPA have been filed in Illinois state court and show no sign of slowing.

Although some consider Illinois the leader in biometric data protection, other states have enacted laws similar to the BIPA, and still others are considering such legislation. Companies that want to implement technology that uses employee or customer biometric information (for timekeeping, physical security, validating transactions, or other purposes) need to be prepared. For more information on the nursing home case and advise on how to prepare when collecting biometric information, our comprehensive article is available here.

Below are additional resources to help navigate biometric information protection laws:

Not to be outdone by the recent attention to biometric information in Illinois, and the Prairie State’s Biometric Information Privacy Act (BIPA), Washington enacted a biometric data protection statute of its own, HB 1493, which became effective July 23, 2017.

What it notable about Washington’s new biometric information law?

  • It prohibits “persons” from “enrolling” “biometric identifiers” in a database for a “commercial purpose” without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of the biometric identifiers for a commercial purpose. Lots of definitions, more on that below.
  • The exact type of notice and consent should depend on the context, and notice must be given through a procedure reasonably designed to be readably available to affected individuals. Note that the law does not require notice and consent if the person collects, captures, or enrolls a biometric identifier and stores it in a biometric system, or otherwise, in furtherance of a security purpose.
  • In general, a person that has obtained a biometric identifier from an individual and enrolled that identifier may not sell, lease or otherwise disclose the identifier absent consent. There are, of course, some exceptions, such as the disclosure being necessary to provide a product requested by the individual. In addition, a person generally may not use or disclose a biometric identifier for a purpose that is materially inconsistent with the terms under which the identifier was originally provided.
  • Persons that possess biometric identifiers of individuals that have been enrolled for a commercial purpose must (i) have reasonable safeguards to protect against unauthorized access or acquisition to the identifiers, and (ii) not retain the identifiers for longer than is necessary to carry out certain functions, such as providing the product for which the identifier was acquired.
  • There is no private right of action under the new Washington law. It is to be enforced by the state’s Attorney General. Remember that Illinois’ BIPA does permit persons to sue for violations of that law.

To understand how the law applies, one needs to review the defined terms. For example, the term “biometric identifiers” means:

data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. “Biometric identifier” does not include a physical or digital photograph, video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under the federal health insurance portability and accountability act of 1996.

The law also defines “commercial purpose” to mean:

a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier.

And, the term “enroll” means

to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.

The use of biometrics and biometric identifiers in commercial transactions and for other purposes is growing, and so is the number of state laws intending to protect that kind of data. Businesses that use or disclose biometrics in carrying out their business should carefully consider whether this new state law applies and, if so, what they need to do to comply.

Capturing the time employees’ work can be a difficult business. In addition to the complexity involved with accurately tracking arrival times, lunch breaks, overtime, etc. across a range of federal and state laws (check out our Wage and Hour colleagues who keep up on all of these issues), many employers worry about “buddy punching” or other situations when time entered into their time management system is entered by a person other than the employee to whom the time relates. To address that worry, some companies have implemented biometric tools to validate time entries. A simple scan of an individual’s fingerprint, for example, can validate that individual is the employee whose time is being entered. But that simple scan can come with some significant compliance obligations, as well as exposure to litigation as discussed in a recent Chicago Tribune article.

The use of biometric data still seems somewhat futuristic and high-tech, but the technology has been around for a while, and there are already a number of state laws addressing the collection, use and safeguarding of biometric information. We’ve discussed some of those here, including the Illinois Biometric Information Privacy Act (BIPA)which is the subject of the litigation referenced above. Notably, the Illinois law permits individuals to sue for violations and, if successful, can recover liquidated damages of $1,000 or actual damages, whichever is greater, along with attorneys’ fees and expert witness fees. The liquidated damages amount increases to $5,000 if the violation is intentional or reckless.

For businesses that want to deploy this technology, whether for time management, physical security, validating transactions or other purposes, there are a number of things to be considered. Here are just a few:

  • Is the company really capturing biometric information as defined under the applicable law? New York Labor Law Section 201-a generally prohibits the fingerprinting of employees by private employers. However, a biometric time management system may not actually be capturing a “fingerprint.” According to an opinion letter issued by the State’s Department of Labor on April 22, 2010, a device that measures the geometry of the hand is permissible as long as it does not scan the surface details of the hand and fingers in a manner similar or comparable to a fingerprint. But, under BIPA, this distinction may not work in some cases. “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual, such as a fingerprint. As a federal district court explained: The affirmative definition of “biometric information” does important work for [BIPA]; without it, private entities could evade (or at least arguably could evade) [BIPA]’s restrictions by converting a person’s biometric identifier into some other piece of information, like a mathematical representation or, even simpler, a unique number assigned to a person’s biometric identifier. So whatever a private entity does in manipulating a biometric identifier into a piece of information, the resulting information is still covered by [BIPA] if that information can be used to identify the person.
  • How long should biometric information be retained? A good rule of thumb – avoid keeping personal information for longer than is needed. The Illinois statute referenced above codifies this rule. Under that law, biometric identifiers and biometric information must be permanently destroyed when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the entity collecting it, whichever occurs first.
  • How should biometric information be accessed, stored and safeguarded? Before collecting biometric data, companies may need to provide notice and obtain written consent from the individual. This is the case in Illinois. As with other personal data, if it is accessible to or stored by a third party services provider, the company should obtain written assurances from its vendors concerning such things as minimum safeguards, record retention, and breach response.
  • Is the company ready to handle a breach of biometric data? Currently, 48 states have passed laws requiring notification of a breach of “personal information.” Under those laws, the definitions of personal information vary, and the definitions are not limited to Social Security numbers. A number of them include biometric information, such as Connecticut, Illinois, Iowa and Nebraska. Accordingly, companies should include biometric data as part of their written incident response plans.

The use of biometrics is no longer something only seen in science fiction movies or police dramas on television. It is entering mainstream, including the workplace and the marketplace. Businesses need to be prepared.

Fingerprints, voice prints and vein patterns in a person’s palm are three examples of biometrics that may be “moving into the consumer mainstream to unlock laptops and smartphones, or as a supplement to passwords at banks, hospitals and libraries,” reports Anne Eisenberg at the New York Times. Of course, these technologies, aimed at increasing security and, to a lesser degree, convenience, raise data privacy concerns and other risks. However effective, convenient, and efficient these technologies may be, companies need to think through carefully their adoption and implementation, particularly in the workplace.

Below are just a few of the kinds of questions companies should be asking before implementing technologies that involve capturing biometric information.  It is likely that such technologies will go mainstream and, if so, spawn new laws regulating the use of biometric information. Thus, companies using such technologies will need to continue to monitor the legal landscape to manage their risks.

Can we collect this information? In some cases, the answer may be no. For example, in New York, Labor Law Section 201-a prohibits the fingerprinting of employees by private employers, unless required by law. However, according to an opinion letter issued by the State’s Department of Labor on April 22, 2010, a device that measures the geometry of the hand is permissible as long as it does not scan the surface details of the hand and fingers in a manner similar or comparable to a fingerprint. Other states may permit the collection of biometric information provided certain steps are taken. The Illinois Biometric Information Privacy Act, for instance, prohibits private entities from obtaining a person’s or customer’s biometric identifier or biometric information unless the person is informed in writing and consents in writing.

If we can collect it, do we have to safeguard it?  Regardless of whether a statute requires a business to safeguard such information, we believe it is good practice to do so. However, states such as Illinois (see above) already require a reasonable standard of care when storing, transmitting or disclosing biometric information.

Is there a notification obligation if unauthorized persons get access to biometric information? In some states the answer is yes.  The breach notification statutes in states such as Michigan include biometric data in the definition of personal information. MCLS § 445.72

Are there any requirements for disposing of this information? Yes, a number of states (e.g., Colorado and Massachusetts) require that certain entities meet minimum standards for properly disposing records containing biometric information.

Can employees claim this technology amounts to some form of discrimination? In addition to securing devices and accounts, biometric technologies also are being used to track employee time and attendance in order to enhance workforce management. These different applications can form the basis of discrimination claims. For example, earlier in 2013, the U.S. Equal Employment Opportunity Commission (EEOC) claimed an employer’s use of a biometric hand scanner to track employee time and attendance violated federal law by failing to accommodate certain religious beliefs which opposed the use of such devices.

Retinal scan technology is another biometric technology that can be used for identification/security purposes.  However, as explained in a recent Biometric.com article, “examining the eyes using retinal scanning can aid in diagnosing chronic health conditions such as congestive heart failure and atherosclerosis…[as well as] diseases such as AIDS, syphilis, malaria, chicken pox and Lyme disease [and] hereditary diseases, such as leukemia, lymphoma, and sickle cell anemia.” Thus, the data captured by such scans can inform employers about the health conditions of their employees, raising a range of medical privacy, medical inquiry and discrimination issues under federal and state laws, such as the Americans with Disabilities Act. 

On June 25, 2024, Rhode Island became the 20th state to enact a comprehensive consumer data protection law, the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”). The state joins Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey in passing consumer data privacy laws this year.

The RIDTPPA takes effect on January 1, 2026.

To Whom does the law apply?

The law applies to two types of organizations, defined as “controllers”:

1. For-profit  entities that conduct business in the state of Rhode Island or that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

  • Controlled or processed the personal data of not less than thirty-five thousand (35,000)

customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or

  • Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.

2. A commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or that is otherwise subject to Rhode Island jurisdiction and collects stores, and sells customers’ personally identifiable information.

Who is protected by the law?

Customer means an individual residing in Rhode Island who is acting in an individual or household context. The definition of customer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

The law protects personal data, which is defined as any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

RIDTPPA contains numerous exceptions for specific types of data including data that meets the definition of protected health information under HIPAA, personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and personal data regulated by the federal Family Educations Rights and Privacy Act.

The law also provides heightened protection for sensitive data, which means personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; the personal data of a known child; or precise geolocation data.

What are the rights of customers?

Under the law, customers have the following rights with respect to data collected by for-profit  entities that conduct business in the state or produce products or services targeted to residents of the state and meet one of the relevant thresholds:

  • Confirm whether a controller is processing their personal data and access that data.
  • Correct inaccuracies in the data a controller is processing.
  • Have personal data deleted unless the retention of the personal data is permitted or required by law.
  • Port personal data.
  • Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the customer.

Under the law, customers also have a right to receive notice from commercial websites or internet service providers of their data collection activities.

What obligations do controllers have?

Both categories of controllers under Rhode Island’s law are required to provide a notice of data collection activities. Controllers that are for-profit  entities conducting business in the state or producing products or services targeted to residents of the state and that meet one of the relevant thresholds have the following additional obligations:

  • Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect, the confidentiality, integrity, and accessibility of personal data.
  • Obtain consent prior to processing a customer’s sensitive personal data.
  • Conduct and document a data privacy and protection assessment for processing activities that represent heightened risk.
  • Contractually obligate any processors who will process personal data on behalf of the organization to adhere to specific data protection obligations including ensuring the security of the processing.

How is the law enforced?

The statute will be enforced by the Rhode Island Attorney General and does not provide for a right to cure. The statute does not create a private right of action.

If you have questions about Rhode Island’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On May 24, 2024, Minnesota’s governor signed an omnibus bill, HF4757 which included the new Consumer Data Privacy Act. The state joins Kentucky, Nebraska, New Hampshire, New Jersey, and Rhode Island in passing consumer data privacy laws this year.

Minnesota’s law takes effect July 31, 2025, except that postsecondary institutions and nonprofit corporations governed by Minnesota Statutes, chapter 317A, are not required to comply until July 31, 2029.

To who does the law apply?

The law applies to legal entities that conduct business in the state of Minnesota or that provide products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

  • Controls or processes personal data of 100,00 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or,
  • Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

Companies that are deemed a “small business” as defined by the United States Small Business Administration under the Code of Federal Regulations, title 13, part 121, are exempt from compliance with the exception that they must not sell a consumer’s sensitive data without the consumer’s prior consent.

Who is protected by the law?

Consumer means an individual who is a resident of the State of Minnesota. The definition of consumer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

The law protects personal data, which is defined as any information that is linked or reasonably linked to an identified or identifiable individual. Personal data excludes de-identified data and publicly available information.

The Consumer Data Privacy Act contains numerous exceptions for specific types of data including data that meets the definition of protected health information under HIPAA, personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, and personal data regulated by the federal Family Educations Rights and Privacy Act.

The law also provides heightened protection for sensitive data, which means personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; the processing of biometric data or genetic information for the purpose of uniquely identifying an individual; the personal data of a known child; or specific geolocation data.

What are the rights of consumers?

Under the law, consumers have the following rights:

  • Confirm whether a controller is processing their personal data
  • Access to personal data a controller is processing
  • Correct inaccuracies in data a controller is processing
  • Have personal data deleted unless the retention of the personal data is required by law
  • Obtain a list of the categories of third parties to which the controller discloses personal data.
  • Port personal data
  • Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.

What obligations do controllers have?

Controllers under Minnesota’s law have the following obligations:

  • Provide consumers with a reasonably accessible, clear, and meaningful privacy notice.
  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect, the confidentiality, integrity, and accessibility of personal data.
  • Document and maintain a description of the policies and procedures to comply with the law.
  • Conduct and document a data privacy and protection assessment for high-risk processing activities.
  • Contractually obligate service providers who will process personal data on behalf of the organization to adhere to specific data protection obligations including ensuring the security of the processing.

How is the law enforced?

The statute will be enforced by Minnesota’s attorney general. Prior to filing an enforcement action, the attorney general must provide the controller or processor with a warning letter identifying the specific provisions alleged to be violated. If after 30 days of issuance of the letter the attorney general believes the violation has not been cured, an enforcement action may be filed. The right to cure sunsets on January 31, 2026.

The statute specifies that it does not create a private right of action.

If you have questions about Minnesota’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On August 2, 2024, Governor Pritzker signed Senate Bill (SB) 2979, which amends the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA). The bill, which passed both the Illinois House and Senate by an overwhelming majority, confirms that a private entity that more than once collects or discloses the same biometric identifier or biometric information from the same person via the same method of collection in violation of the Act has committed a single violation for which an aggrieved person is entitled to, at most, one recovery. SB 2979 adds the following clarifying language into Section 20 of the BIPA, which is the section of the statute that identifies the damages a prevailing party mayrecover under the Act:

(b) For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

(c) For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.

The amendment takes effect immediately.

Background

In Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court held that claims under Sections 15(b) and (d) of the BIPA accrue “with every scan or transmission” of alleged biometric identifiers or biometric information.  Yet, the Illinois Supreme Court, in deciding the issue of claim accrual under Sections 15(b) and (d) of the BIPA, acknowledged that there was some ambiguity about how its holding should be construed in connection with Section 20 of the BIPA, which outlines the damages that a prevailing party may recover. Notably, the Illinois Supreme Court acknowledged, “there is no language in the Act suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” which would be the result if the legislature intended to award statutory damages on a “per-scan” basis. The Court went on to say that “policy-based concerns about potentially excessive damage awards under the Act are best addressed by the legislature” and expressly “suggest[ed] that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.”

SB 2979 was introduced in the Illinois Senate on January 31, 2024, in response to the invitation from the Illinois Supreme Court and clarifies the General Assembly’s intention regarding the assessment of damages under the BIPA.

Electronic Signatures

In addition, the bill also adds “electronic signature” to the definition of written release, clarifying that an electronic signature constitutes a valid written release under Section 15(b)(3) of the BIPA. An electronic signature is defined in SB 2979 as “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign a record.”

If you have questions about SB 2979 or related issues, please contact a member of our Privacy, Data, and Cybersecurity group.