Cross-posted from Seyfarth’s Workplace Class Action Blog.

Seyfarth Synopsis: Following in the footsteps of New York, Maryland recently introduced a standalone biometric information privacy bill, House Bill 218, that mirrors Illinois’ highly litigious Biometric Information Privacy Act (740 ILCS § 14/1 et seq., “BIPA”) in many respects. Most notably, as presently drafted, Maryland’s proposed bill, like Illinois’ BIPA, provides for a private right of action, statutory penalties, and plaintiffs’ attorneys’ fees – which has spawned thousands of class actions in the Land of Lincoln. If enacted, the Maryland bill would become only the second biometric privacy act in the United States to provide a private right of action and plaintiffs’ attorneys’ fees for successful litigants. This represents a significant development for companies and employers operating in Maryland in light of the explosion of class action litigation that has arisen from Illinois’ BIPA in recent years. Moreover, the recent introduction of such bills in Maryland and New York signal that states are increasingly modeling proposed biometric privacy litigation on Illinois’ BIPA. Employers must take notice and monitor such developments to avoid being subject to a class action lawsuit – particularly as the purposes for utilizing such technology continue to expand.

Details of Maryland’s Proposed Legislation

Like New York’s proposed legislation that mirrors Illinois’ BIPA in many respects which we previously blogged about here, Maryland has proposed a similar bill entitled “Commercial Law – Consumer Protection – Biometric Identifiers and Biometric Information Privacy.”  The proposed law, like Illinois’ BIPA, prohibits private entities from capturing, collecting, or storing a person’s biometrics without first implementing a policy and obtaining written consent, implements standards of care for the handling of biometrics, and prohibits disclosure of biometrics without consent.  Most notably, the proposed bill provides for identical remedies to BIPA, whereas an aggrieved person under the proposed bill will be afforded a private right of action with the ability to recover $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, and reasonable attorneys’ fees and costs.

However, Maryland’s proposed legislation does differ from Illinois’ BIPA in a couple of respects. For example, the definition of “biometric identifiers” is arguably even broader, extending to “data of an individual generated by automatic measurements of that individual’s biological characteristics such as fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individual’s identity.” Moreover, the proposed legislation also clarifies that the broader definition of “biometric information,” which includes “any information regardless of how it is captured, converted, stored, or shared based on an individual’s biometric identifier used to identify an individual,” does not include “information derived from an item or a procedure excluded under the definition of a biometric identifier,” such as photographs or information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under HIPAA. Unlike Illinois’ BIPA, the proposed Maryland legislation also clarifies that a policy regarding retention/destruction of biometrics need not be made “publicly available” if the policy “applies only to the employees of the private entity,” and “is used solely for internal company operations.”

Implications For Companies

Companies that are already familiar with the Illinois BIPA are undoubtedly aware of the threats that the proposed Maryland biometric privacy bill poses. While the Illinois BIPA was enacted in 2010, it has seen an explosion in class action litigation over the past few years brought by employees and consumers alleging that their biometric data was improperly collected for timekeeping, security, and consumer transactions. In fact, between 2015 and 2020 alone, there were over 1,000 Illinois BIPA class action complaints filed across the United States, with additional new filings continuing to be initiated every day.

It remains to be seen if Maryland’s biometric privacy bill will pass as drafted. However, if enacted as it is currently drafted, companies in Maryland can also expect to experience an onslaught of biometric privacy litigation. Compliance is key, and there no better time to think about your company’s biometric privacy compliance than right now. Companies with Maryland operations that are utilizing anything that could be considered biometrics, for any reason, should consider audit their practices, policies, and procedures to avoid potentially costly exposure in the event that the bill ultimately passed. Businesses with compliance questions should contact a member of Seyfarth Shaw’s Biometric Privacy Compliance & Litigation Practice Group.

While this proposed bill was only recently introduced, Seyfarth Shaw will provide immediate updates on its progress when available.