Earlier this year, the Missouri legislature proposed its own Biometric Information Privacy Act (HB 1047), joining the growing list of states eager to enact and implement laws governing biometric data. Biometric data or information includes a person’s fingerprint, handprint, retina scan, and facial geometry.
Missouri’s bill is fashioned after neighboring Illinois’ Biometric Information Privacy Act, which should raise alarm bells for any Missouri business that—even arguably—collects, stores, or utilizes its employees’ biometric information for purposes of timekeeping or identity verification. This is because Illinois’ biometric law has resulted in an avalanche of class action lawsuits, with tens of millions of dollars paid out in settlements to individuals who had their biometric information collected without their written consent.
If passed, the Missouri bill looks to impose new and stringent requirements on the businesses of that state that collect and store biometric information. As it stands, Missouri’s proposed BIPA bill features the following key provisions:
- Private entities possessing biometric information must develop a written policy establishing retention schedule and destruction guidelines.
- Private entities may not collect, disclose, or disseminate an individual’s biometric information unless they (1) inform the individual of the collection or storage; (2) inform the individual of the purpose and duration of the collection, storage or use; and (3) obtain consent.
- Private entities may not sell, lease, or trade individual’s biometric information.
- Private entities must store, transmit, and protect biometric information pursuant to industry-specific standard of care and in manner comparable to that of other confidential and sensitive information.
Perhaps the most significant part of this legislation is the private right of action available for an individual who suffers a violation under the Act. Individuals will be able to recover up to $1,000 for negligent violations of the Act, or $5,000 or actual damages for intentional or reckless violations.
Ultimately, as more states look to pass their own biometric privacy laws, it’s become clear state legislators are keen on safeguarding biometric information. Accordingly, Missouri businesses utilizing biometrics should not only revisit existing notices, policies and practices, but also remain nimble. Consider identifying measures in advance that would remediate potential gaps induced from any resulting BIPA-like proposed legislation.