Legal and data protection research writer at TermsFeed.
On this page
- 1. Arizona HB 2478
- 1.1. Definitions Under HB 2478
- 1.2. Penalties and No Private Right of Action
- 1.3. Status: Shelved
- 2. Arizona HB 2729
- 3. How Does Biometric Data Fit in?
- 4. Who Falls Within HB 2729's Jurisdiction?
- 5. Requirements of HB 2729
- 5.1. Exemptions
- 5.2. Enforcement
- 5.3. Status: Shelved
- 6. Future Compliance with Arizona Biometric Data Privacy Laws
- 7. Best Practices
- 8. In Summary
Over the past few years, there's been a rise in both litigation and legislation regarding the collection and use of biometric information.
There are many types of bio-data, or biometric identifiers. These include such things as face and voice recognition, retinal scans, palm scans, fingerprints, and we'll get into that more later on in this article as we discuss Arizona's proposed biometric data privacy law, HB 2729.
For the moment, it's simply important to note that biometric information has become the subject of intense debate as privacy issues have made a bee-line to the center of public attention. A clear line has been drawn between privacy advocates and those who pound the podium of safety and security.
Both groups demand that the public take sides.
Other states including Illinois, Texas, and Washington have all passed specific biometric data privacy laws. Of these three, Illinois has the most comprehensive with the passage of its "Biometric Information Privacy Act" (BIPA).
Let's take a look at what's ahead for Arizona.
Recently, other states have added clauses to existing privacy laws, which will regulate the collection and use of biometric information, but without a specific law dedicated to that purpose. Some of the states which have done that are Arkansas, Louisiana, New York, California, and Oregon.
Now, states like Massachusetts, Florida, and Arizona have proposed biometric data protection laws that address an individual's right to privacy.
All of the proposed legislation have things in common, such as regulating the collection, use, storage, and protection of biometric information. However, there are many differences within these bills as well. These differences showcase the variety of methods states are exploring to provide citizens with a remedy for the misuse of their data.
For example, as with Illinois vs. Washington and Texas, other states like Arizona are debating whether to affirm a private right of action by citizens, as Illinois did. Alternatively, legislators are looking at whether to follow Washington and Texas's footsteps, where only the state attorney general can bring actions against offending businesses.
Other issues that separate newly proposed laws are the definitions of biometric data.
For instance, some proposed laws have broad definitions. In those states, a "biometric identifier" might include behavioral characteristics and biological and physiological characteristics like gait and keystroke patterns. The definition might further incorporate things like "sleep, health, and exercise data that contain identifying information."
Washington state's definition, for example, is:
"data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual."
The definition of "biometric identifier" in other proposed laws is limited, like those of Texas and Illinois. (Illinois gets specific and provides separate definitions for "biometric identifier" and "biometric information.")
In light of the move by privacy advocates and civil libertarians to limit what governments and organizations can do with biometric data, it's incredibly important that companies prepare to bring themselves into compliance with current and upcoming legislation.
Even if a company is located in one state with non-existent or lax biometric data privacy laws, if it does business in a state with more strict laws, it is likely bound by the laws of that state.
Arizona has proposed more than one law that addresses biometric data and privacy.
In January 2019, House Speaker Rusty Bowers introduced Arizona's House Bill 2478. In the article below, we'll examine HB 2478, a Republican led initiative, and Arizona House Bill 2729, a Democrat led initiative introduced on February 10, 2020.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Arizona HB 2478
As noted above, Arizona's HB 2478 was introduced at the beginning of 2019. It put a prohibition on the collection, conversion, and storage of a state resident's biometric identifiers in a database intended for commercial uses.
Exceptions to the above included:
- "a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose, or when
- advance notice (is) provided and consent (is) obtained from the individual."
The proposed law also copies Washington state's HB 1493, which provides exemptions for security purposes like shoplifting or fraud or protecting applications, accounts, or software.
As well, unless a company discloses or sells biometric identifiers to third parties, HB 2478 won't extend to them if they're using biometric identifiers for employment purposes.
Definitions Under HB 2478
The definition of a "biometric identifier" under HB 2478 includes all of the following:
- Retina or iris scans
- Facial geometry
- Any other "unique biological pattern or characteristic that is used to identify a specific individual"
Penalties and No Private Right of Action
There isn't a private right of action under HB 2478. This brings the bill in line with the majority of privacy legislation currently on the books.
The bill makes any infraction a violation of Arizona's Consumer Fraud Statute. Under that law, companies could expect civil penalties of up to $10,000 for each violation. Some consider a fine like this nothing more than a slap on the wrist, considering Texas levels a minimum penalty of $25,000 for violations of its biometric data privacy law.
Also, there is a question about how Arizona courts will determine what "violations" means when it comes to awarding damages.
Arizona's HB 2478 was re-introduced on May 19, 2020. It was assigned to the House Rules Committee, but the Arizona legislature adjourned on May 26, 2020, effectively shelving the legislation for the time being.
Arizona HB 2729
Unlike HB 2478, HB 2729 isn't a bill specifically written to protect biometric data privacy rights. Instead, it's Arizona's attempt at an overall, comprehensive privacy and data protection law.
Not as broad as California's Consumer Privacy Act (CCPA), HB 2729 regulates "processors" and "controllers" of personal data. The bill defines "processors" as entities that gather, use, disclose, analyze, store, delete, or modify personal information. At the same time, "Controllers," are entities that, by themselves or with others, "determines the purposes and means of processing personal data."
How Does Biometric Data Fit in?
Biometric data fits into a subset of HB 2729's section on personal data dubbed "sensitive data." The entire section covers biometric information and information on such things as race, ethnicity, religion, sexual orientation, geolocation data, health conditions, and children's personal data.
Who Falls Within HB 2729's Jurisdiction?
HB 2729 applies exclusively to commercial organizations. State and local governments are entirely exempt.
With that said, any commercial entity making $25 million or more in gross annual revenues or those who intentionally target Arizona residents with services or products falls under HB 2729's regulations.
Additionally, any entity that controls or processes the information of at least 100,000 Arizona residents or that makes 35% of its gross revenue from selling personal information also falls under HB 2729's authority.
Businesses must understand that the definition of "sale of data" within HB 2729 is restricted to personal information transferred for monetary consideration.
Requirements of HB 2729
There are some similarities between HB 2729, the CCPA and Europe's General Data Protection Regulation (GDPR). Businesses must:
- Declare what data is being collected and what the data will be used for at the point of collection
- Correct data if a consumer informs them of a mistake
- Delete data if a consumer requests deletion (there are certain exemptions here for data necessary to complete transactions with that consumer, necessary for exercising the right to free speech, or necessary to be preserved by state or federal law)
- Provide consumers with a copy of the personal data collected upon request
Certain categories of information would be exempt, which means companies can collect, use, and store that information without penalty. For example, the following categories of information are fair game under the law:
- Data subject to HIPAA
- Employment data
- Data collected under the Fair Credit Reporting Act (FCRA)
Like HB 2478, HB 2729 does not provide for a private right of action. Only Arizona's attorney general can bring action against businesses accused of mishandling personal information. If found liable, a company may face fines of $2,500 for unintentional violations and up to $7,500 for intentional violations.
HB 2729 has been shelved for the moment, just as HB 2478 was when the Arizona legislature adjourned on May 26, 2020.
Arizona businesses may have a short window of time to further prepare themselves to comply with biometric data privacy regulations that are sure to come soon.
Future Compliance with Arizona Biometric Data Privacy Laws
While there are no comprehensive data privacy laws, biometric or otherwise, in Arizona right now, experts think that it's only a matter of time before that changes. As you can see from the information above, Arizona lawmakers have been considering new laws on the subject for a couple of years already. Data privacy laws are no longer a question of "if," but merely of "when."
Businesses would be wise then to begin preparing themselves to comply with whatever law eventually passes.
Authorities on the subject of biometric data privacy laws believe that companies can best protect themselves by looking at the laws currently on the books and then adapting their policies to fall in line with those that are most strict.
The theory is that by complying with the law, which is most comprehensive, these companies will find themselves in compliance with the laws of their own states by default. Until Arizona passes a biometric data privacy law of its own, companies in the state may wish to tailor their policies to comply with regulations such as those found within Illinois' BIPA.
There is an alternative, which has been suggested by experts at the Sans Institute as well. This organization, which operates in the cyber and information security space, published a research paper that outlined a comprehensive, common framework that businesses could adopt to comply with biometric data privacy laws.
Writing for the Sans Institute, David Todd proposed that companies can prevent themselves from falling under the wrath of both state attorneys general and private citizens if they adopt the organization's Biometric Compliance Framework.
In lieu of the above, there are a few best practices for biometric data privacy. Businesses can use their time efficiently by beginning to implement the following right away.
In case you can't see the benefit in doing so, consider the fact that two consumers sued Shutterfly in Illinois in 2019. These two individuals alleged that Shutterfly collected face scans illegally by not adhering to the regulations found within BIPA.
Shutterfly was able to avoid significant penalties by revising its Terms and Conditions agreement.
In any case, just some practices that you can implement now to protect your business are the following:
- Write and establish an exhaustive, documented plan for your company
- Obtain explicit consent for the collection of all biometric data you collect
- Ensure that any vendors you use to store data do not turn around and disclose or sell that data
- Ensure strict security protocols are implemented
- Make sure vendor contracts include clauses that force them to comply with existing biometric data privacy laws and that you have the right to be notified in the event of a data breach, and that you can request information from them at any time
It's clear that passing some form of biometric data privacy legislation is on the agenda in Arizona.
As you can see in the information outlined above, there are at least two bills under consideration, and both will likely be hotly debated once the House reconvenes in session. With that in mind, companies that collect any kind of biometric information or biometric identifiers will want to watch this legislation to see how it progresses.
In the meantime, Arizona based companies can begin preparing themselves to comply with future regulations by implementing the best practices outlined in this article.