Fla. Lawmakers Propose New Law to Address Companies' Increasing Use of Biometrics
Companies in Florida that use fingerprints or face scans for employee or customer access control should take notice of a new bill introduced by the Florida Senate titled, Florida Biometric Information Privacy Act. Why is this bill significant?
April 01, 2019 at 12:30 PM
6 minute read
Robert A. Stines of Freeborn & Peters.Companies in Florida that use fingerprints or face scans for employee or customer access control should take notice of a new bill introduced by the Florida Senate titled, Florida Biometric Information Privacy Act. Why is this bill significant? To answer that, we need to provide some information on biometric identification and the associated technology.
Simply, “biometrics” are any metrics related to human features such as fingerprints, retina, voice, face.
Security professionals tout biometric identification as a better alternative to ID cards, PIN, tokens and pass codes. In theory, only one person has your face, retina and fingerprints; they are always with you; they are permanent; and, you will never forget them. In a society that sometimes appreciates convenience over privacy, the use of biometric identification is becoming widely adopted. Already, there are amusement parks and gyms using fingerprints to access facilities. Probably the most popular use cases are Apple's and Microsoft's face scans to access devices.
Some privacy professionals consider it one step closer to a “big brother” society, where the government or private entities do not require permission to access personal information. In a world where everything is connected and the government relies on private platforms for surveillance, a face scan will allow access to criminal records, insurance information, voter registration, location tracking, and postings on social media, etc.
Biometric Technology
The technology behind the collection and use of biometric information effectively converts your unique identifiers into digital data (binary language). Data security professionals are concerned that if your biometric information has been reduced to data and is stored in a database, it is hackable. This is troublesome because biometric data is more vulnerable than any other kind of data. You can change passwords, credit card information, and social security numbers. You cannot simply change your fingerprint, retina or face. Once biometric data is disclosed, it is difficult to prevent unwanted access to this information.
Some companies have publicly stated that their version of biometric technology takes an image of the biometric identifier, converts the image into a unique numerical value and immediately discards the image. By immediately discarding the image, there is no threat of the image being unintentionally disclosed. Despite these attempts to inspire confidence from consumers, the technology naysayers theorize that it is still possible to reverse engineer the technology to obtain the biometric identifier.
Florida Lawmakers Are Concerned
Florida lawmakers have noticed the rising use of biometrics by private companies without any regulation to protect consumers. To address this issue, two senators co-sponsored the Florida Biometric Information Privacy Act. The purpose of this law is to establish requirements and restrictions on private entities as to the use, collection and maintenance of biometric identifiers and biometric information.
The proposed law is almost identical to the Illinois Biometric Privacy Act (BIPA) that was enacted in 2008 and has resulted in over 200 cases against private entities. Since BIPA was enacted, there have been class action lawsuits related to using employee fingerprints to track work hours, fingerprint capture for customer access control, and facial recognition for social media (e.g., Facebook and Snapchat). The first of its kind, BIPA had such national implications that even a Florida resident initiated a class action lawsuit against Shutterfly under BIPA in Illinois. In another lawsuit, the Illinois Supreme Court recently ruled that you do not need to have suffered damages to recover for violations of BIPA.
Companies Should Take Notice
Among other obligations, the proposed law requires companies in possession of biometric identifiers to develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Companies in possession of biometric identifiers may not sell, lease, trade or otherwise profit from a person's or a customer's biometric information.
Under the proposed law, private entities must store, transmit, and protect from disclosure all biometric information: Using the reasonable standard of care within the private entity's industry; and, In a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information. Because data protection and cybersecurity are, at best, challenging, one should expect debates related to the interpretation and meaning of “reasonable standard of care.”
Companies should understand and comply with this proposed law because it allows any person aggrieved by a violation to file a lawsuit against the violator. The violator could pay liquidated damages of $1,000 or $5,000 depending on the level of egregiousness. The proposed law also allows for attorney's fees to the prevailing party. In a class action lawsuit, this proposed law could prove expensive for companies that store biometric information for numerous Florida residents.
We have already seen that cyberinsurance is a growth market. Companies that collect and use biometric information should consider whether their insurance policies will respond to claims under the proposed law.
Do Not Wait
Using Illinois as an example, this Florida legislation could result in class action lawsuits against private entities for technical violations. Any company that uses, collects and maintains biometric information should immediately consider hiring a professional to ensure compliance with this proposed law. If it is enacted as drafted, the law will become effective Oct. 1, 2019. On Oct. 2, 2019, we may see the first wave of lawsuits under the new law.
Robert A. Stines is a partner in the Tampa office of Freeborn & Peters. A member of the firm's litigation practice group and emerging technologies industry team, he is a trial lawyer whose practice is focused on business commercial disputes, professional liability defense and cyberlaw. An IAPP U.S.-law certified privacy professional, he also advises businesses on cybersecurity and data privacy issues. He can be reached at [email protected]. To read his blog, visit https://www.techlawx.com/blog.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Conversation Catalyst: Transforming Professional Advancement Through Strategic Dialogue
5 minute read
SEC Whistleblower Program: What to Expect Under the Trump Administration
6 minute read
Turning the Shock of a January Marital Split Into Effective Strategies for Your Well-Being
5 minute read
Trending Stories
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
