Over two years ago, in our annual year in preview series, we noted that while only three states had passed laws specifically dealing with the protection of biometric information, other states were considering following their lead. But even as biometric technology has continued to advance, state legislatures have remained cautious about enacting privacy legislation directed specifically at the protection of biometric information. As of now, only three states—Illinois, Texas and Washington—have biometric-specific legislation, though California’s powerful CCPA now also includes provisions related to biometric identifiers. Legislative efforts in Alaska, Arizona, Massachusetts, Michigan, Montana, New Hampshire and New York, to name a few, have failed to gain traction.
On January 14, South Carolina entered the biometric arena when state legislators there introduced a bill to enact the “South Carolina Biometric Data Privacy Act.” In its current form, the legislation would stake out a middle ground between biometric privacy laws currently on the books. The proposed protections are somewhat less stringent than those contained in the Illinois Biometric Information Privacy Act (“BIPA”). For example, while BIPA requires entities that collect biometric data to delete such data the earlier of (1) when the purpose for collecting it has been fulfilled or (2) within 3 years of the subject’s last interaction with the entity, the South Carolina bill would provide that such data must be deleted only upon the subject’s request. Similarly, while BIPA prohibits the sale of biometric data, the South Carolina bill would prohibit the sale of biometric data only upon the subject’s request.
Like BIPA, however, and unlike the Texas and Washington biometric privacy laws, the proposed South Carolina law would provide for a private right of action for aggrieved individuals. Thus, if enacted, the South Carolina bill would likely soon be the subject of litigation and, as litigation around BIPA has started to do, would help shape judicial interpretation and application of biometric privacy principles.
Interestingly enough, where the South Carolina bill appears to be broader than any current law is in its definition of what constitutes “biometric information.” The proposed law covers not only the usual biometric information covered by other laws—retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry—but also DNA, “keystroke patterns of rhythms, gait patterns or rhythms, and sleep health, exercise data, or geolocation data that contain identifying information.” The South Carolina bill could potentially apply to new contexts and fact patterns currently untouched by BIPA.
As the experience of the past few years has shown, the successful enactment of biometric privacy legislation is the exception rather than the rule. But if South Carolina can buck that trend with this proposed law, the impact could be big—and fascinating to watch.