PH Privacy
Maine State Legislature Considering (Again) a BIPA-Like Statute
May 26, 2023
By Adam M. Reich& Kimia Favagehi
On May 22, 2023, the Maine Legislature held a public hearing on “H.P. 1094, An Act to Give Consumers Control Over Sensitive Personal Data By Requiring Consumer Consent Prior to Collection of Data” (“H.P. 1094”). H.P. 1094, introduced last month, is the second attempt in as many years by certain Maine legislators to pass a bill into law premised on Illinois’ Biometric Information Privacy Act (“BIPA”), as LD 1945, An Act to Regulate the Use of Biometric Identifiers, first introduced in January 2022 (“LD 1945”), stalled out in non-concurrence.
In the event that the Maine Legislature passes H.P. 1094, it will be effective January 1, 2025, and Maine will become only the second state in the nation to have a state biometric privacy law with a private right of action and significant potential liability for non-compliant corporate entities. Accordingly, companies doing business in Maine that utilize any technology involving employee or customer biometric identifiers, or which otherwise collect, use, obtain, store, possess, or transmit biometric identifiers, should at minimum actively track H.P. 1094, as it continues to wind its way through committees.
The following chart identifies the key provisions of H.P. 1094 and how they compare to BIPA.
ISSUE |
BIPA |
H.P. 1094 |
Definition of Regulated Biometrics |
Regulates “biometric identifiers” and “biometric information.” “Biometric identifiers” include: retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. “Biometric information” includes: any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.[1] |
Only regulates “biometric identifiers.” “Biometric identifiers” include: information generated by measurements of an individual's unique biological characteristics, including a voiceprint or imagery of the iris, retina, fingerprint, face, or hand, which can be used to identify that individual.[2] |
Subjects of Regulation |
Any private entity that collects, possesses, stores, transmits, uses, obtains, discloses, or otherwise disseminates biometric identifiers or biometric information.[3] |
Any private entity that collects, stores, purchases, receives through trade, or otherwise obtains, uses, discloses, transfers, or otherwise disseminates an individual’s biometric identifier.[4] Processors that collect, process, store, or otherwise use biometric identifiers on behalf of another private entity.[5] |
Consent Requirements |
A private entity must receive a “written release” executed by the subject of the biometric identifiers and biometric information, or the subject’s legally authorized representative.[6] “Written release” means informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.[7] |
A private entity must receive affirmative written consent from an individual.[8] “Affirmative written consent” means specific, unambiguous, and informed written consent given by an individual who is not under duress or undue influence at the time the consent is given or, in the context of employment, a release signed by an employee as a condition of employment.[9] |
Disclosure Requirements |
No disclosure, redisclosure, or dissemination of biometric identifiers or biometric information unless one of four criteria is satisfied: (1) the subject or the subject’s legally authorized representative consents; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject or the subject’s legally authorized representative; (3) the disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) the disclosure or redisclosure is required by valid warrant or subpoena issued by a court of competent jurisdiction.[10] |
Unlike BIPA, H.P. 1094 incorporates disclosure requirements to affected individuals, upon their request (somewhat similar to the GDPR). A private entity that collects or possesses a biometric identifier shall disclose to that individual, free of charge, any biometric identifier associated with that individual and the following required information: (1) the type of biometric identifier; (2) all personal information related to the biometric identifier; (3) the types of sources from which the private entity obtained the biometric identifier and personal information linked to the biometric identifier; (4) the use of the biometric identifier and personal information linked to the biometric identifier; (5) the type of 3rd party with which the private entity has shared the biometric identifier; and (6) the type of personal information linked to the biometric identifier that the private entity has disclosed to a 3rd party.[11] |
Policy Requirements |
(1) In writing (2) Publicly available (3) Set a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when: (a) the initial purpose for collecting or obtaining such identifiers or information has been satisfied; or (b) within three years of the individual's last interaction with the private entity.[12] |
(1) In writing (2) Publicly available (3) Set a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information by the earliest of: (a) the date on which the initial purpose for obtaining the biometric identifier has been satisfied; (b) one year after the individual's last intentional interaction with the private entity in possession of the biometric identifier; and (c) thirty days after receiving a request by the subject to destroy the biometric identifier.[13]
|
Notice Requirements |
(1) Informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; and (2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used.[14] |
Same as BIPA.[15] |
Protection Obligations |
Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry, and in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.[16] |
Same as BIPA.[17] |
Prohibited Uses |
No selling, leasing, trading, or otherwise profiting from a person’s or a customer’s biometric identifier or biometric information.[18] |
(1) No selling, leasing, or trading biometric identifiers. (2) No permitting any recipient of biometric identifiers to sell, lease, or trade biometric identifiers. (3) No retaining biometric identifiers related to access for the purpose of employee tracking.[19] |
Mechanism(s) of Enforcement |
Private right of action.[20] |
Private right of action.[21] Civil penalties and enforcement by the Attorney General.[22] |
Statutory Damages |
Negligent violations: $1,000 or actual damages, whichever is greater. Intentional or reckless violations: $5,000 or actual damages, whichever is greater.[23] |
Same as BIPA, but expressly specifies damages accrue on a per violation basis.[24] |
Other Available Relief |
Other relief, including an injunction, as the state or federal court may deem appropriate.[25] |
(1) Other relief, including injunctive or equitable relief, as the court determines appropriate.[26] (2) Any violation constitutes prima facie evidence of a violation of the Maine Unfair Trade Practices Act, which carries with it an additional damages risk.[27] |
Discrimination Restrictions |
No provision on discrimination. |
A private entity may not condition the sale of goods or provision of services on the collection of a biometric identifier, charge a different price to a customer who does not provide affirmative consent, or provide a different quality of goods or services to a customer that exercises his/her rights.[28] |
Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises companies on compliance with biometric privacy laws, litigates biometric privacy issues, and keeps track of the changing landscape of biometric privacy legislation. If your company operates in Maine, and you have any questions concerning H.P. 1094, or if you have any questions about BIPA or any other biometric privacy statutes, please contact our team.
[1] 740 ILCS 14/10.
[2] H.P. 1094, 2023 Leg., 131st Sess., §9601(2) (Me. 2023).
[3] 740 ILCS 14 et seq.
[4] H.P. 1094, 2023 Leg., 131st Sess., §9607(1) (Me. 2023).
[5] H.P. 1094, 2023 Leg., 131st Sess., §9601(6) (Me. 2023).
[6] 740 ILCS 14/15(b)(3).
[7] 740 ILCS 14/10.
[8] H.P. 1094, 2023 Leg., 131st Sess., §9607(1)(C) (Me. 2023).
[9] H.P. 1094, 2023 Leg., 131st Sess., §9601(1) (Me. 2023).
[10] 740 ILCS 14/15(d).
[11] H.P. 1094, 2023 Leg., 131st Sess., §9606(2) (Me. 2023).
[12] 740 ILCS 14/15(a).
[13] H.P. 1094, 2023 Leg., 131st Sess., §9603(1) (Me. 2023).
[14] 740 ILCS 14/15(b)(1)-(2).
[15] H.P. 1094, 2023 Leg., 131st Sess., §9607(1) (Me. 2023).
[16] 740 ILCS 14/15(e).
[17] H.P. 1094, 2023 Leg., 131st Sess., §9605(1) (Me. 2023).
[18] 740 ILCS 14/15(c).
[19] H.P. 1094, 2023 Leg., 131st Sess., §9604(2) (Me. 2023).
[20] 740 ILCS 14/20.
[21] H.P. 1094, 2023 Leg., 131st Sess., §9608(1) (Me. 2023).
[22] H.P. 1094, 2023 Leg., 131st Sess., §9608(3) (Me. 2023).
[23] 740 ILCS 14/20(1)-(2).
[24] H.P. 1094, 2023 Leg., 131st Sess., §9608(1)(A) (Me. 2023).
[25] 740 ILCS 14/20(4).
[26] H.P. 1094, 2023 Leg., 131st Sess., §9608(1)(C) (Me. 2023).
[27] H.P. 1094, 2023 Leg., 131st Sess., §9608(2) (Me. 2023).
[28] H.P. 1094, 2023 Leg., 131st Sess., §9607(3) (Me. 2023).