New Biometric and PII Privacy Laws: Is Biometric Data PII?

Rapidly changing technology has a dramatic impact on the privacy rights of consumers across the globe. In many cases, the law has failed to keep up with these rapid changes.

The two specific types of data in question are biometric data and personally identifiable information (PII). With no clear national standard for limiting the collection of this data, some states are taking it upon themselves to address privacy rights issues in the modern era.

The legal community must prepare their clients for the pending biometric data and PII regulation. In many jurisdictions, there could be steep risks for businesses that inadvertently fail to comply with these shifting privacy laws.

Understanding Biometric Data and PII

While biometric data and personally identifiable information are currently at the forefront of privacy battles across the country, it is important to note that these are two very different legal questions. For that reason, each form of private sensitive data involves its own set of regulations in most states.

Biometric data is the measurable and unique characteristics of the human body. These can include biological details like a fingerprint, a DNA sequence, or the structure of the iris. This type of data has increasingly become central in the technology used for biometric authentication. Examples range from using fingerprints by the police to using facial recognition to unlock a mobile device.

PII is any form of personal information that could be used to identify an otherwise anonymous person. This information could identify a person on its own or combine with other factors to make an individual’s identity clear. Examples of PII include phone numbers, age, gender, date of birth, and social security number.

The State of Biometric Privacy Laws

More than half of all organizations already use biometric information for authentication in the workplace or other purposes. Business clients need to know now how to comply with the changing laws and protect themselves from liability and their clients from identity theft.

Although questions remain about the degree of privacy and control over biometric data, more than one state has already adopted legislation to answer these questions. Illinois was the first to take action to protect citizens’ data privacy rights when they passed the Illinois Biometric Information Privacy Act .

Other states—including Louisiana, Texas, and Washington—have taken steps to regulate the collection of biometric data as well. In 2020, California and Oregon’s biometric privacy laws went into effect, and New York enacted its SHIELD Act requiring businesses to take measures to protect biometric data and expanding breach notification rules. However, these states stopped short of creating a private right of action. Understanding the different approaches these states take is vital for any attorney as they aid their clients in weighing potential liability issues.

The Changing Face of PII Regulations

Since there has been limited effort toward addressing PII regulations and biometrics on the national level, a number of states currently address these issues through a patchwork of legislation. Other states have yet to take up the question of PII and privacy rights at all. This could result in a situation where compliance across state lines becomes a costly process fraught with red tape and confusion.

Current State Laws

There are hundreds of state and local regulations related to the collection of PII. California leads the way through legislation known as the California Consumer Privacy Act (CCPA). The CCPA grants California residents the right to block the sale of their sensitive PII data and to know which personal data has been collected. Failure to comply with this act could result in steep fines for companies.

The Potential for Uniformity

While changes at the federal level could provide an end to this piecemeal attempt at regulation, there is nothing to suggest a legislative fix is on the horizon. However, the Uniform Law Commission—the creators of the Uniform Commercial Code (ULC)—is working to address the issue differently.

The ULC is in the process of drafting a set of uniform laws to address PII privacy rights. Instead of addressing the patchwork of state rules through federal regulation, the ULC is offering a uniform code that each state could adopt. This legislation is known as the Collection and Use of Personally Identifiable Data (CUPID) Act.

The European Union has taken an aggressive approach to the issue through its General Data Protection Regulation (GDPR). GDPR treats the right to privacy in regards to PII as fundamental. This has led to costly efforts among companies to reform their data collection processes. Because GDPR has a crossover effect on any company that reaches EU residents, this financial cost is not limited to European companies. According to Forbes , the cost of GDPR compliance has been more than $15 million for each Fortune 500 company. 

The current landscape of federal and state privacy regulations is complex. Fortunately, NBI offers a comprehensive look at the basic tenets every attorney should know about PII privacy rights in the NBI course, Privacy Law .

New regulations regarding the collection and maintenance of PII are only one potential risk that a business might face. To ensure their clients are protected moving forward, attorneys could benefit from a continuous review of ever-changing state data privacy regulations. The NBI Course Catalog offers several courses covering updates to the law, with more added regularly.

This blog post is for general informative purposes only and should not be construed as legal advice or a solicitation to provide legal services. You should consult with an attorney before you rely on this information. While we attempted to ensure accuracy, completeness and timeliness, we assume no responsibility for this post’s accuracy, completeness or timeliness.