The Act particularly prohibits companies from collecting biometric data, including eye scans, voiceprints, faceprints and fingerprints, without consumers and employees’ consent, unless the entity first informs users of the collection, its specific purpose and the length of term for the information is being used. In addition, companies must receive informed written consent from users, which may not be combined with any other consent seeking instrument or employment contract.
Private entities in possession of biometric information are also prohibited from profiting from a person’s biometric information without informing users of the data that will be disclosed, the reason for such disclosure and the recipients of such data.
The measure would place several other requirements on private companies, including a requirement that companies establish a reasonable standard of care when in possession of biometric information and disclose the information the company has collected for an individual upon request.
Similar to the Illinois Biometric Information Privacy Act (which recently resulted in a litigation settlement for $650 million), the Act would allow both attorneys general and individuals to bring lawsuits against companies that fail to comply. The Act would not preempt more stringent state and local laws.
While the proposal is not likely to gain any traction this year given its lack of bipartisan support, this could be subject to change after the 2020 elections.