It is critically important that lawmakers stand up to protect their constituents from the abuse of biometric information, through strong laws with strong enforcement. That’s why we were proud to testify in support last week of Maryland’s SB 335, which would give Marylanders much-needed protections against unwanted biometric data collection. Most importantly, this bill requires corporations to get a person’s opt-in consent before collecting their biometrics, and it empowers people to sue the businesses that violate their biometric privacy.
Biometric information is easy to collect, immutable, and a ripe target for identity thieves. That’s why EFF works to defend and enforce the Illinois Biometric Information Privacy Act (BIPA)—on which S.B. 335 is based—as a necessary means to protect our biometric privacy from intrusion by private entities. It is also why we have encouraged other states and the federal government to follow this model of legislation.
We are encouraged to see Maryland recognize the harms that unconsented collection can inflict on people as they go about their daily lives. And we were particularly encouraged to see Finance chair, Sen. Delores Kelley, and the bill’s sponsor, vice-chair Sen. Brian Feldman, push back on those advocating to eliminate perhaps the most important piece of this bill: the private right of action.
As we said in our testimony, laws are often only as good as their enforcement. This is why it is a top priority for the Electronic Frontier Foundation to include private rights of action in privacy laws, including those that protect biometric privacy. Consumer enforcement is part of EFF’s “bottom-up” approach to public policy. Ordinary technology users should have the power to decide for themselves whether to bring a lawsuit to enforce their statutory privacy rights.
Since Illinois’ BIPA was passed in 2008, those seeking to weaken its protections have repeatedly attacked the private right of action, calling it unnecessary. Including a private right of action, in fact, is how legislators normally approach privacy laws. Many privacy statutes contain a private right of action, including federal laws on wiretaps, stored electronic communications, video rentals, driver’s licenses, credit reporting, and cable subscriptions. So do many other kinds of laws that protect the public, including federal laws on clean water, employment discrimination, and access to public records.
We have already seen how ineffective laws become when they are passed without this important enforcement mechanism. Texas, for example, has a 2009 law very similar to Illinois’ BIPA except for the fact that only the state attorney general has the right to sue under the law. While Illinois’ law has worked for the people of that state since it was passed in 2008, it took the Texas Attorney General’s office 12 years—until this week—to bring its first enforcement action. And, even then, the suit treads ground already broken by an Illinois lawsuit that forced Facebook to settle with consumers for $650 million. This demonstrates how strong state laws with strong enforcement help us all.
People should be able to choose which companies they trust with their information, especially information as sensitive and unique as biometrics. Companies should recognize the responsibilities inherent to the collection of biometric information. They also must be held accountable for actions that break that trust. We applaud Vice-Chair Feldman and Chair Kelley for recognizing this, and encourage other states to follow their example.