The Honorable Anne Carney, Senate Chair The Honorable Thom Harnett, House Chair Maine State Legislature Judiciary Committee 230 State Street Augusta, Maine 04330
Dear Chairs Carney, Chair Harnett, and Members of the Committee:
EPIC writes in support of LD 1945 regarding biometric identifiers and biometric information privacy.Biometric data is highly sensitive. A person’s biometric data is linked to that person’s dignity, autonomy, and identity. Unlike a password or account number, a person’s biometrics cannot be changed if they are compromised. LD 1945 would protect Mainers by requiring that the use and retention of biometric data is minimized and that data is kept secure.
The Electronic Privacy Information Center (EPIC) is a public interest research center established in 1994 to focus public attention on emerging privacy and civil liberties issues. EPIC has long advocated for strict limits on the collection and use of biometric data.
LD 1945 is modeled after the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA has been referred to as one of the most effective and important privacy laws in America. BIPA and LD 1945 set out a simple privacy framework: businesses may not sell, lease, trade, or otherwise profit from a person’s biometric information; businesses must comply with specific retention and deletion guidelines; and companies must use a reasonable standard of care in transmitting, storing, and protecting biometric information that is as protective or more protective than the company uses for other confidential and sensitive information.
BIPA and LD 1945 also include a requirement that a business obtains informed, written consent before collecting or otherwise obtaining a person’s biometric information. Though “notice-and-choice” regimes are not sufficient to protect privacy, the consent provision has proven to be effective in Illinois because it is easy to enforce. It is much easier for an individual to discover and prove that a company collected their biometric data without the requisite consent than it is to prove a violation of the retention and deletion rules that are implemented by businesses after the data is collected.
The inclusion of a private right of action in LD 1945 is the most important tool the Legislature can give to Mainers to protect their privacy. Modeled after BIPA’s private right of action, the bills would impose enforceable legal obligations on companies that choose to collect and store individuals’ biometric data. As EPIC Advisory Board member Professor Woody Hartzog has written:
Many privacy laws include a private right of action to empower individuals and have made it possible to hold accountable those who fail to protect or respect personal data. In crafting liability provisions in privacy statutes, legislatures have frequently included a liquidated damages provision to avoid protracted disputes over quantifying privacy damages. This is necessary because it is often difficult to assign a specific economic value to the harm caused by a privacy violation.
For example, when federal legislators passed the Cable Communications Policy Act in 1984, they established privacy rights for cable subscribers and created a private right of action for recovery of actual damages not less than liquidated damages of $100 per for violation or $1,000, whichever is higher. The Video Privacy Protection Act specifies liquidated damages of $2,500. The Fair Credit Reporting Act affords individuals a private right of action that can be pursued in federal or state court against credit reporting agencies, users of credit reports, and furnishers. In certain circumstances, individuals can also recover attorney’s fees, court costs, and punitive damages. The Drivers Privacy Protection Act similarly includes a private right of action. The Telephone Consumer Protection Act allows individuals who receive unsolicited telemarketing calls to recover actual monetary loss or up to $500 in damages per violation.
The statutory damages set in privacy laws are not exorbitant; they are necessary to ensure that privacy rights will be taken seriously and violations not ignored. In the absence of a private right of action, there is a very real risk that companies will not comply with the law because they think it is unlikely that they would get caught or fined. Private enforcement ensures that data collectors have strong financial incentives to meet their data protection obligations. EPIC strongly supports the private right of action provisions in LD 1945.
An individual’s ability to control access to his or her identity, including determining when to reveal it, is an essential aspect of personal security and privacy. The unregulated collection and use of biometrics threatens that right to privacy and puts individuals’ identities at risk. We urge the Committee to give LD 1945 a favorable report.
Brief for EPIC as Amici Curiae, Rosenbach v. Six Flags Entm’t Corp., 2017 Ill. App. 2d 170317 (Ill. 2019), https://epic.org/amicus/bipa/rosenbach/; Comments of EPIC to the Dept. of Homeland Security, Collection and Use of Biometrics by U.S. Citizenship and Immigration Services, 85 F.R. 56338, 4 (Oct. 13, 2020), https://epic.org/apa/comments/EPIC-DHS-BiometricNPRM-Oct2020.pdf.