Maryland could soon join a growing list of states imposing restrictions on companies that collect biometric identifiers — a person’s unique biological data that confirms their identity, such as fingerprints, faceprints and voiceprints.
The Biometric Identifiers Privacy Act, introduced in the state legislature in mid-January, would require companies to get written consent from customers before collecting any of their biometric identifiers. The bill would also require companies to keep a retention and destruction schedule for the biometrics that they do collect.
Companies must also disclose what biometric identifiers they are gathering upon request. The bill will also ban them from profiting from the biometric identifiers they collect.
The bill’s sponsor, Del. Sara Love (D-Montgomery), described the bill as setting “guardrails” on what companies can do with biometric identifiers.
From Apple’s facial recognition software to stores harvesting biometric data for security, the use of biometrics has only grown in recent years, Love said. Some employers have even used facial recognition software during the pandemic to determine whether employees are working.
“The bottom line is that [biometrics] are being collected all over the place. And we don’t even know the extent to which they’re being collected,” Love said.
California, Washington, Texas and Illinois are prominent states in the U.S. that currently regulate companies that use biometric identifiers.
Maryland’s bill mirrors Illinois’ 2008 Biometric Information Privacy Act, which affords people a private right of action against a company that violates the law — meaning individuals can sue if companies misuse their biometric identifiers.
If the bill passes, Maryland would be only the second state in the nation to afford people the ability to take companies to court if they violate the law.
“The private right of action … is the most important tool that the legislature can give to Marylanders to protect their privacy,” said Jeramie Scott, a senior counsel at the Electronic Privacy Information Center, who supported the bill at its House Economic Matters Committee hearing Wednesday. “Without this deterrent, companies will continue to mass extract and exploit our biometric information at the expense of our privacy.”
[Maryland General Assembly looks at marijuana, climate, redistricting]
In 2020, the bill passed out of the house but its run was cut short because of the pandemic, Love said. The bill did not pass out of the house in 2021 because of criticism of the private right of action, Love added.
Private companies and trade organizations voiced concerns over possible lawsuits if the bill is passed. Since the Illinois Supreme Court held that a person can seek damages based on the bill without proving harm, there has been a sharp uptick in the number of class-action lawsuits filed.
Maryland’s bill would also not require people to prove actual damages to file their suit in court and win. Pete Isberg, vice president of government relations for ADP — one of the country’s largest payroll and human resources providers — testified Wednesday before the House Economic Matters Committee that the bill will harm Maryland businesses.
“Applying liquidated damages in the employment context results in astronomical, potential liabilities which could threaten Maryland employers,” Isberg said.
But supporters of the private right of action attest that allowing legal enforcement is the only way to hold companies accountable.
Nathan Wessler is the deputy director for the American Civil Liberties Union’s Speech, Privacy and Technology Project and testified in favor of the bill at its hearing.
He told The Diamondback that understaffing at state enforcement agencies and the complexity of tracing private violations make the private right of action a better means of enforcement.
“Individuals can sometimes be in the best position to bring those cases because they’re the ones who actually have a stake in protecting their own data,” Wessler said.
[UMD’s college application asks about criminal history. Some say it’s invasive.]
A flurry of civil rights groups voiced support for the bill because of bias within biometric identification technology. Facial recognition software misidentifies people of color more often than white people, according to a 2019 federal study.
Companies such as Rite Aid also deployed facial recognition technology across stores in lower-income, non-white neighborhoods, according to Reuters.
“As these technologies start to proliferate more and more widely because companies are trying to get more efficient, to save a buck, to be able to market ads more particularly, lots of harm can result,” Wessler said.
The Senate will conduct a hearing on the bill Wednesday. With increased support from advocacy groups, Love is hopeful that the bill will progress this year.
And for Wessler, the prospect of Maryland becoming a national leader in the biometric privacy sphere adds to the urgency of this legislation.
“Technology is advancing fast. The law has not kept up,” Wessler said. “We really can’t wait for these kinds of protections any longer.”