Senator Gary Farmer (D-FL) and Representative Bobby DuBose (D-FL) have proposed new bills concerning consumers’ data privacy rights over their biometric data.
The Florida Biometric Information Privacy Act aims to “establish requirements and restrictions on private entities as to the use, collection, and maintenance of biometric identifiers and biometric information.”
Many parts of the Florida Biometric Information Privacy Act are identical to the Illinois Biometric Information Privacy Act of 2008. The Act would require private entities to inform consumers about the reasons for collecting biometric information and how the organisation wishes to use that data. The organisation would be required to present this information to the consumer before obtaining the consumer’s consent.
An organisation would also need to inform the public of its policies covering data retention and disposal. The Act would prohibit private entities from profiting from an individual’s biometric information and bans organisations from selling, leasing, or trading the data.
The Act also has sections concerning the security of private consumer data. Private entities would need to protect the integrity of stored biometric information by implementing adequate safeguards. The organisations must also securely destroy data if the information is no longer needed for the original purpose for which it was collected. The Act also requires private entities to destroy the data after three years following the last interaction with an individual.
Biometric data is classed as any information based on an individual’s biometric identifiers that can be used to identify an individual, such as an iris/retina scan, fingerprint, voice print, or face scan. It does not include information such as handwriting samples, signatures, biological samples, medical images, or photographs.
Any information captured, used, or stored by HIPAA-covered entities for the provision of treatment, payment for healthcare, or operations covered by the HIPAA Privacy Rule is exempt from the Act.
The Florida Biometric Information Privacy Act includes a private right of action which would allow consumers to take legal action against entities that have violated their privacy and recover damages of between $1,000 and $5,000 as well as reasonable attorney fees.
“This common-sense legislation will give Floridians the peace of mind to know that their most valuable information is being handled responsibly and that these private companies will be held accountable for the improper use or unauthorized distribution of their information,” explained DuBose.
If the Florida Biometric Information Privacy Act is passed, it is due to take effect from October 1, 2019.