By Phil Gura and Taylor Ey
And if you are collecting, storing or using biometric information of any Parrotheads, you may end up being the only bait in town. A bill to create the Florida Biometric Privacy Act was just introduced in the Sunshine State Senate. (SB1270) Of concern to all “private entities” serving Florida residents, the bill would create a private right of action in circuit court for any person whose biometric data is not collected, stored or used in accordance with the new rules.
For each negligent violation, a prevailing party may receive the greater of (i) liquidated damages of $1,000 and (ii) actual damages, plus attorneys’ fees and injunctive or other relief. For reckless violations, the liquidated damages rise to $5,000 per violation.
If passed, the Florida Act would become the second state, following Illinois, to give plaintiffs a private cause of action for biometric privacy violations: https://www.womblebonddickinson.com/us/insights/alerts/collecting-biometric-data-without-consent-sufficient-harm-base-action. The Florida bill has a proposed effective date of October 1, 2019 and closely tracks the Illinois statute.
Generally, the new Act requires private entities that have either “biometric identifiers” or “biometric information” to establish a publicly available written policy establishing a retention schedule and guidelines for destroying that information and identifiers. Destruction will have to occur on the earlier of the time the original purpose of the collection is satisfied and three (3) years after the last interaction with the individual.
Businesses that collect or store biometric information or identifiers must:
- Inform the individual of the collection or storage,
- Inform the individual of the purpose and length of time the information or identifiers will be collected, stored or used, and
- Obtain a written release from the individual for such collection, storage or use.
Covered entities must use a “reasonable standard of care within the private entity’s industry” to protect biometric information and identifiers and at least the same standard of care that the entity used to protect “other confidential and sensitive information.”
Sale of biometric identifiers and information is prohibited. Disclosure of such information can only occur with the subject’s consent, where required by law, pursuant to a warrant, or when it completes a financial transaction initiated by the subject.
Financial institutions covered by GLB and contractors and agents of state agencies are excluded from coverage. These new restrictions would be in addition to HIPAA obligations.