Senators Brian Schatz (D) and Roy Blunt (R) recently introduced S.847, the “Commercial Facial Recognition Privacy Act of 2019,” a bill that would, subject to certain important exceptions,  generally prohibit the commercial use of facial recognition technology to identify and track consumers without consent. The bill, as drafted would place limitations on the third-party sharing of collected faceprint data, as well as require covered entities to meet certain minimum data security standards. As this bill wends its way through Congress (it has been referred to the Committee of Commerce, Science and Transportation), it is worth watching because it is a bipartisan bill with a narrow scope that has garnered the early conceptual support of Microsoft and other technology companies.

UPDATE:  Subsequent to the introduction of the New York City Council biometric privacy bill, on March 5, 2019 members of the Florida legislature introduced the “Florida Biometric Information Privacy Act” (SB 1270).  The statute generally follows the Illinois Biometric Information Privacy Act (BIPA) regarding notice and consent requirements and notably provides for a private right of action and the availability of statutory damages.  As with the New York City bill, we will follow the progress of the Florida bill, as well as other pending biometric privacy legislation (e.g., Montana’s HB 645, which was introduced on March 1, 2019 and is another BIPA-like bill, but only allows enforcement by the state attorney general).

UPDATE: Both the Florida and Montana bills died in committee this past spring.

In light of the recent decision by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), it is worth remembering that late last year, New York City Council members Ritchie Torres (and additional co-sponsors) introduced a bill for the city council to consider that would regulate the use of biometric technology in New York City. Bill Int. No. 1170 (the “Bill”) would amend Section 1, Chapter 5 of Title 20 of the Administrative Code of the City of New York and require businesses (but not governmental actors) to give notice to customers if they are collecting “biometric identifier information.” The Bill, which contains some similar provisions to the Illinois Biometric Information Privacy Act (“BIPA”), includes a private right of enforcement but avoids the statutory standing issue litigated in Rosenbach by providing that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action.”  If enacted, this bill could lead to a deluge of individual and class action suits in New York based on biometric activity.

We have written before about the issues presented by the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”).  BIPA is still the only state biometric privacy statute with a private right of action. It has garnered national attention and become the epicenter of biometrics-based litigation, with dozens of cases pending alleging violations of the statute (defendants include employers of all types, social media platforms, service providers, and many other businesses that interact with Illinois residents).  Just as the privacy concerns surrounding the collection and storage of biometric data have come into sharper focus with more and more companies employing such technologies for digital authentication, security and other uses, the litigation surrounding BIPA has garnered much controversy and the legislature has previously been called upon to amend the statute to limit its reach.  The Illinois legislature is now considering a bill (SB3053) that would fundamentally alter the privacy protections under BIPA

Today, the President signed H.R. 1865, the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (commonly known as “FOSTA”).  The law is intended to limit the immunity provided under Section 230 of the Communications Decency Act (“CDA Section 230”) for online services that knowingly host third-party content that promotes or facilitates sex trafficking. As drafted, the law has retroactive effect and applies even with respect to activities occurring prior to its enactment.

In the flurry of deal-making that resulted in a 2,232-page funding bill released Wednesday, lawmakers negotiated the inclusion of “The Clarifying Lawful Overseas Use of Data Act” (often referred to as the “CLOUD Act”) (see page 2,201 of the bill text).  The CLOUD Act provides a procedural structure for law enforcement to pursue the preservation or production of data and other information residing on servers located overseas that is within the possession, custody or control of the provider.

In this age of cloud computing, data can rest overseas or in multiple locations. As we’ve previously discussed, it is increasingly common to see extraterritorial legal disputes arise when parties attempt to apply laws passed before the digital age to our current landscape.

On July 21st, Delaware Governor John Carney Jr. signed SB 69 into law. SB 69 amends the Delaware General Corporation Law (“DGCL”) to explicitly authorize the use of distributed ledger technology in the administration of Delaware corporate records, including stock ledgers.

Distributed ledger (or “blockchain”) technology-based platforms enable peer-to-peer transactions and eliminate the need for a trusted intermediary to verify and process the transactions. The potential applications of such technology in the administration of corporate records, and stock ledgers in particular, are tremendous.

With summer concerts and music festivals in full swing, many fans will be surprised to find $145 face value tickets reselling online for $3,000 to $11,000.

On May 11, 2017, New York Attorney General Eric Schneiderman took the most recent step in dealing with this problem, and announced seven settlements in “ticket bot” enforcement actions, calling for settlement payments totaling $4.19 million. This development represents the latest step in Schneiderman’s longstanding and highly publicized efforts to combat unfair ticket resale practices occurring in New York.  The enforcement also highlights the technological methods that ticket brokers use to evade the protective measures of well-known ticket marketplaces or otherwise conceal their online activities.

We have been writing about the biometric privacy legal landscape, which has thus far been dominated by the Illinois Biometric Information Privacy Act (BIPA).  While there are a number of states that are considering bills modeled after BIPA, Washington has enacted a bill that takes a dramatically different approach.   On May 16, 2017, HB 1493 (the “Washington Statute,” or the “Statute”) was signed into law by Governor Jay Inslee and will become effective on July 23, 2017.

The stated purpose of the Statute is to require a business that collects and can attribute biometric data to a specific individual to disclose how it uses that biometric data and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual’s biometric identifiers in a database. Unlike BIPA, the Statute does not provide a private cause of action; it may be enforced solely by the state attorney general under the Washington consumer protection act.  It should be noted, however, that Washington has traditionally been one of the leading states with regard to the enforcement of consumer privacy.

The blockchain or “distributed ledger network” was originally conceived as the peer-to-peer technology platform that allows for the transfer of Bitcoin without the need for a trusted intermediary.  However, the blockchain protocol is being implemented across many industries and in many applications beyond digital currencies. Of course, there are questions about the enforceability of blockchain-based transactions and related, self-executing “smart contracts.”

Late last month, Arizona Governor Doug Ducey signed HB 2417 into law. This law clarifies some of the enforceability issues associated with the use of blockchain and smart contracts under Arizona law, in particular with respect to transactions relating to the sale of goods, leases, and documents of title governed respectively under UCC Articles 2, 2A and 7.

We’ve written extensively about the numerous lawsuits, dismissals and settlements surrounding the Illinois Biometric Information Privacy Act (BIPA). The statute, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice and consent and data retention requirements. The statute contains defined terms and limitations, and parties in ongoing suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute. Moreover, in two instances in the past six months, a district court has dismissed a lawsuit alleging procedural and technical violations of the Illinois biometric privacy statute for lack of Article III standing.

Thus, the epicenter of biometric privacy compliance and litigation has been the Illinois statute. A Texas biometric statute offers similar protections, but does not contain a private right of action.

The biometrics landscape may be about to get more complicated. An amendment has been proposed to the Illinois biometric privacy, and a number of biometric privacy bills mostly resembling BIPA have been introduced in other state legislatures. While most of the new proposed statutes are roughly consistent with the Illinois statute, as noted below, the Washington state proposal is, in many ways, very different. If any or all of these bills are enacted, they will further shape and define the legal landscape for biometrics.