Data Dive

The Information Commissioner’s Office (ICO), the personal data protection authority in the United Kingdom (UK), is running a public consultation on its draft guidance on biometric data which covers the requirements under the UK General Data Protection Regulation (GDPR) (similar to the EU GDPR, with extraterritorial reach) for such data. Vendors or users of biometric recognition systems, including both controllers and processors, would be required to comply with the guidance once finalized. As the definition of biometric data is relatively broad and includes, for example, a person’s voice or face that have been analysed using technology for the purposes of identifying such person, the draft guidance is likely to apply to a wide range of companies across all industry sectors in and outside the UK. The consultation includes 20 questions and we encourage participation, via completing the survey, or by downloading the word document through this link and forwarding the response to biometrics@ico.org.uk. The ICO will close the consultation on 20 October 2023.

In a policy statement released on May 18, 2023, the Federal Trade Commission (FTC) warned of several consumer data privacy risks related to the increasing commercial use of biometrics technologies.¹  The Commission unanimously voted 3-0 to adopt the policy statement, which builds on more than a decade of Commission guidance on biometrics, including its 2012 report on best practices for facial recognition technology.

The Illinois Supreme Court issued a pair of decisions related to the Illinois Biometric Information Privacy Act (BIPA) that continue to ratchet up compliance pressure on businesses. On February 17, 2023, the Illinois Supreme Court ruled in a narrow 4-3 majority that a separate claim for damages accrues each time a business violates the state’s BIPA (e.g., accruing additional damages each time a fingerprint is scanned rather than a single violation for each unique fingerprint collected). Under BIPA, companies collecting biometric data such as facial scans, fingerprints and voiceprints can face millions of dollars in fines if they fail to seek permission to collect this data, or if they fail to disclose their data retention plan.

The UK government is clearly keen to attract artificial intelligence (AI) developers to the UK by promising a regulatory environment that will nurture development and innovation. In its recently published Policy Paper, the UK government presented early proposals for what the UK’s regulatory framework in respect of AI might look like (the “Framework”). This follows the National Artificial Intelligence Strategy, which was published in September 2021 and specified AI regulation as a priority for the UK government. Whilst these early proposals are very high level, we set out the key points of interest in this post.

Throughout the month of March, states continued to introduce new privacy laws of their own as Congress focused on enacting President Biden’s $1.9 trillion COVID-19 relief plan—H.R. 1319, the American Rescue Plan Act of 2021—which President Biden signed into law on March 11.

Throughout the month of February, states continued to introduce new privacy laws of their own as Congress remained preoccupied with enacting an additional COVID-19 relief package. Virginia emerged as the primary highlight of the month, as the state’s enactment of the Consumer Data Protection Act (CDPA) on March 2 makes Virginia the second state to enact a comprehensive state data privacy law in the U.S., after the California Consumer Privacy Act of 2018 (CCPA). In addition to Virginia’s enactment of the law, lawmakers in California and other states have continued to unveil a slate of sector-specific legislative proposals. Below, please find a high-level overview of states’ recent legislative efforts in this space.

In the wake of the California voters’ approval of Proposition 24, or the California Privacy Rights Act of 2020 (CPRA), a ballot initiative that expanded data privacy obligations for businesses beyond those in the California Consumer Privacy Act (CCPA), several states promptly introduced new privacy laws of their own at the outset of 2021. Lawmakers in Washington state have notably revamped the Washington Privacy Act (WPA), while the landmark New York Privacy Act (NYPA) has also been reintroduced. Other state lawmakers continue to introduce measures to enhance their states’ data privacy and cybersecurity efforts. Below, please find a high-level overview of states’ new legislative efforts in this space.

On Tuesday, August 4, Senators Jeff Merkley (D-OR) and Bernie Sanders (I-VT) announced the introduction of the National Biometric Information Privacy Act of 2020 to prohibit private companies from collecting biometric data without consumers and employees’ informed written consent, or profiting off this data.