Maryland Bill provides strong privacy protections against biometric data collection


It is critically important that lawmakers step up to protect their constituents from the misuse of biometric information, through strong laws and strong enforcement. That’s why we were proud to testify last week in support of Maryland’s SB 335, which would provide Marylanders with much-needed protections against the collection of unwanted biometric data. More importantly, this bill requires companies to obtain a person’s consent before collecting their biometric data, and it allows people to sue companies that violate their biometric privacy.

Biometric information is easy to collect, immutable, and a ripe target for identity thieves. That’s why EFF strives to uphold and enforce the Illinois Biometric Information Privacy Act (BIPA) – upon which SB 335 is based – as a necessary means to protect our biometric privacy from abuse. intrusion by private entities. It is also why we have encouraged other states and the federal government to follow this model of legislation.

We are encouraged to see Maryland recognize the harm that non-consented collection can inflict on people in their daily lives. And we were especially heartened to see the Chair of Finance, Senator Delores Kelley, and the bill’s sponsor, the Vice Chair, Senator Brian Feldman, push back against those who advocate eliminating perhaps the most most important aspect of this bill: the private right of action.

As we said in our testimony, laws are often only as effective as their enforcement. That’s why it’s a top priority for the Electronic Frontier Foundation to include private rights of action in privacy laws, including those that protect biometric privacy. Consumer enforcement is part of EFF’s “bottom-up” approach to public policy. Ordinary technology users should have the power to decide for themselves whether they want to take legal action to enforce their legal privacy rights.

Since the passage of Illinois’ BIPA in 2008, those seeking to weaken its protections have repeatedly attacked the private right of action, calling it unnecessary. In fact, the inclusion of a private right of action is how legislators normally approach privacy laws. Many privacy laws contain a private right of action, including federal laws on wiretapping, stored electronic communications, video rentals, driver’s licenses, credit reports, and internet subscriptions. cable. The same goes for many other types of laws that protect the public, including federal drinking water laws, employment discrimination, and access to public records.

We have already seen how ineffective laws become when they are passed without this important enforcement mechanism. Texas, for example, has a 2009 law very similar to Illinois’ BIPA, except that only the state attorney general has the right to sue under the law. Although the Illinois law has worked for people in that state since it was passed in 2008, it took the Texas attorney general’s office 12 years, until this week, to file its first lawsuit. And, even then, the lawsuit is stepping on ground already broken by an Illinois lawsuit that forced Facebook to settle with consumers for $650 million. It demonstrates how strong state laws with strict enforcement help us all.

People should be able to choose which companies they trust with their information, especially information as sensitive and unique as biometrics. Businesses should recognize the responsibilities inherent in collecting biometric information. They must also be held accountable for actions that break that trust. We commend Vice President Feldman and President Kelley for recognizing this and encourage other states to follow their lead.


Comments are closed.