While U.S. privacy regulations have long been criticized for slow development in past decades, a new and growing wave of privacy laws continue to create new compliance considerations for businesses, including specific additional obligations for sensitive data like biometric data. Both the laws and regulator approaches to privacy issues are increasing in sophistication. U.S. regulators have been handed unprecedented powers to bring privacy enforcement actions for biometric data, and they have strongly signaled their intention to use these powers to combat the real-world harms that can arise from misuse of biometric data. The next phase will see how U.S. regulators decide to wield and exercise these new and expanded powers.
While the U.S. historically has had certain protections for biometric data through privacy laws, most notably the Illinois Biometric Information Privacy Act, swift developments in the U.S. privacy framework have poised regulators for an era of newfound enforcement activity related to business use of biometric data. For example, the scope of the U.S. state consumer privacy laws now explicitly covers biometric data, creating obligations that will be new for many U.S. businesses and providing landmark privacy rights to consumers. The Federal Trade Commission has also recently published guidance about biometric data under Section 5 of the Federal Trade Commission Act, cautioning businesses to assess whether use of biometric data is likely to cause consumer injury, especially given the rapid changes in technological capabilities. While the private right of action under BIPA has long created compliance pressures on businesses, in this paper, we focus on the prospect of rigorous action from the Federal Trade Commission, state Attorneys General, and the new California Privacy Protection Agency, which are poised for strengthened action on biometric privacy.
This article was originally published by CPI in the April 2024 issue of the TechREG Chronicle. To access the full article, please click here.
