Maryland House of Delegates Passes Biometric Data Privacy Act

Takeaways:

• Maryland recently took the first step in enacting a comprehensive biometric data privacy law. On March 13, 2022, the Maryland House of Delegates passed (100-30) the Biometric Data Privacy Act. 

• The Act now goes to the Maryland Senate for review and potential passage into law.

Maryland now joins the growing number of states that are strengthening their data protection laws. By expanding upon the existing Personal Information Protection Act, written about here, the new Biometric Data Privacy Act introduces a number of requirements for biometric data (i.e. fingerprint, voiceprint, retina scan, etc.) and prohibits certain practices. If enacted, the Act would apply to individuals and all private entities except for governmental agencies and entities subject to the Gramm-Leach-Bliley Act.

Retention and Destruction Policy

The Act addresses the retention and destruction of biometric data, and sets forth several policy and destruction requirements:     

            •           each covered entity would need to develop a written policy, to be made public, establishing a retention schedule and guidelines for destroying biometric data; and

             •           the entity would be required to destroy any biometric data upon the earliest of the following: (a) the date on which the initial purpose for collecting the data has been satisfied, (b) within three years after the individual’s last interaction with the covered entity, or (c) within 30 days after the entity receives a request to delete the data.

 An entity does not have to publicize the policy if it applies only to the entity’s employees and is solely used for internal company operations.

Storage, Transmission, Disclosure and Use

The Act also addresses the storage, transmission, protection and disclosure of biometric data:

            •           the covered entity would need to use a reasonable standard of care within the industry, which can be no less protective than the manner in which the entity stores confidential and sensitive information (a separate category of data defined by the Act);

            •           the Act would prohibit any sale, leasing or trading of an individual's biometric data; and

            •           the Act would also prohibit the collection, use, dissemination or disclosure of biometric data without consent.

However, an entity may collect and use limited biometric data without consent for fraud prevention or security purposes if it posts conspicuous written notice of such collection at each point of entry.

Enforcement and Private Cause of Action

The Act contains enforcement mechanisms, as well. A violation of any provision constitutes an unfair trade practice pursuant to Maryland’s Consumer Protection Act, which provides for an administrative complaint process with the State that can result in restitution, injunctive relief and civil and criminal penalties.

Unlike some other data privacy laws, however, the Act goes a step further and permits a private cause of action for monetary damages (including attorneys’ fees) under Maryland’s CPA if a covered entity violates the specific prohibition against selling, leasing or trading biometric data. Other violations do not give rise to a private cause of action.

Conclusion

This post highlights some, but not all, of the proposed requirements concerning biometric data. While this is only a first step in a lengthy process, it does illustrate the growing scope of data privacy laws and the steps businesses will need to take to protect customers’ data.