In Florida, the state legislature is considering two bills, known as the Florida Biometric Information Privacy Act, that would introduce new biometric data privacy laws, as reported by Health IT Security.
The bills in question, SB 1270 and HB 1153, were introduced by State Sen. Gary Farmer, Jr. and State Rep. Bobby DuBose, respectively. They’re both meant to establish requirements and restrictions on private businesses for the use, collection, and maintenance of biometric identifiers and biometric information.
“The Florida Biometric Information Privacy Act would ensure that all Floridians are notified in writing that their biometric information is being collected and what the process is for the use of those most private identifiers by organizations seeking it,” DuBose said, according to Biometric Update.
What’s considered a biometric identifier can vary. Generally, biometrics are physical characteristics that can be measured or calculated. In Florida’s case, biometric identifiers include iris or retina scans, voice prints, or the scan of someone’s hand or face.
Under the new laws, private entities who store biometric data or identifiers need to create a public, written policy that both establish a retention schedule and guidelines for permanent destruction.
All collected biometric information has to be destroyed “upon satisfaction of the initial purpose” for collection or within three years after someone’s last interaction with the entity, whichever one comes first.
In addition, businesses can’t collect, capture, or purchase someone’s biometric identifiers without authorization or notice. This also means companies can’t sell, lease, trade, or otherwise profit off a customer’s biometrics.
The bills are pretty similar to Illinois’ Biometric Information Privacy Act and follow Washington State Senate’s new data privacy bill — which took inspiration from California’s Consumer Protection Act.
What this speaks to is an emerging trend of individual states doing the work to implement data privacy practices, since there’s not much in terms of federal guidelines.
With Florida’s bills, companies who are negligent of the law would have to pay up to $1,000 in liquidated damages or actual damages, whichever amount is greater. If a company intentionally violates the law, they have to pay $5,000 in liquid damages or actual damages, whichever amount is greater.
“This common-sense legislation will give Floridians the peace of mind to know that their most valuable information is being handled responsibly and that these private companies will be held accountable for the improper use or unauthorized distribution of their information,” DuBose said, according to Biometric Update.
The Florida Biometric Information Privacy Act is proposed to take effect in October 2019.
