Over the past few decades, technology has taken a fascinating turn. One can use a retinal scan to expedite the airport security process. Need to clock in for work? This can be done with the scan of a finger. We even have the convenience of unlocking our iPhones with a simple, quick gaze into the phone’s front camera. While the use of this technology has certainly made things easier, such use across various industries has led to concerns about individual privacy.
In response to these concerns, the Mississippi Legislature, on January 12, 2023, proposed House Bill 467, the Biometric Identifiers Privacy Act. The proposed legislation, among other things, seeks to require private entities (1) to be forthcoming about their collection and storage of individuals’ biometric identifiers, and (2) to develop a policy that establishes a retention schedule and guidelines for destroying the biometric identifiers of individuals.
What are biometric identifiers?
Inquiring minds may be wondering, what are biometric identifiers? Simply put, and pursuant to the act, biometric identifiers are defined as “the data of an individual generated by the individual’s unique biological characteristics.” Biometric identifiers may include, but are not limited to:
- Retina or iris images
The act defines biometric identifiers to not include:
- A writing sample of written signature
- A photograph or video, except for data collected from the biological characteristics of a person depicted in the photograph or video
- A human biological sample used for valid scientific testing or screening
- Demographic data
- A physical description, including height, weight, hair color, eye color, or a tattoo description
- Donated body parts that have been obtained or stored by a federal agency
- Information collected, used, or stored for purposes under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Images or film of the human anatomy used to diagnose and treat medical conditions or to further validate scientific testing
- Information collected, used, or disclosed for human subject research that is conducted in accordance with the federal policy for the protection of human subjects
If passed, who will the act apply to?
The act will apply to private entities only. The act defines a private entity as “any individual acting in a commercial context, partnership, corporation, limited liability company, association, or other group, however organized.” The act will not apply to state or local government agencies or entities.
What will a Mississippi private entity need to do to ensure it is in compliance with the act?
If enacted, Mississippi private entities in possession of biometric identifiers will be required to, among other things:
- Inform subjected individuals (or their legal representative), in writing, that they are collecting or storing that individual’s biometric identifier(s)
- Inform the individual, in writing, of the purpose of the collection, storage, and/or use of their biometric identifier(s) and the length to which they plan to collect, store, and/or use
- Obtain a written release executed by the subject (or legal representative) of the biometric identifier
- Develop a publicly accessible written policy that establishes a retention schedule and guidelines for permanently destroying a biometric identifier
- The entity is not required to make its policy publicly accessible if the policy (1) applies only to employees of that private entity, and (2) is used solely within the private entity for operation of the private entity.
- Additionally, the entity must destroy any possession of an individual’s biometric identifier on the earliest of (1) the date on which the purpose of collecting or obtaining the biometric identifiers have been satisfied; (2) one year after the individual’s last interaction with the private entity; or (3) 30 days after receiving an individual’s (or legal representative’s) request to delete the biometric identifiers.
Furthermore, if an individual (or legal representative) requests that the private entity disclose any biometric identifiers that the private entity collected, the private entity must do so free of charge.
Of course, nothing in life is free. Such “free” disclosure is specific to entities that (1) do business in Mississippi; (2) are for profit; (3) collect consumers’ biometric identifiers or have such identifiers collected on their behalf; and (4) obtained revenue exceeding $10 million in the preceding calendar year.
What does this mean for Mississippi private entities?
Let’s face it, most people are sick and tired of having to remember passwords and verification questions for every system or database they must access on a regular basis. Because of this, people may prefer the collection, storage, and/or use of their biometric identifiers in exchange for convenience and easy access. However, use of such biometric identifiers will require entities to comply with applicable state and federal laws. To avoid any civil liability for the failure to protect an individual’s biometric identifiers under Mississippi law, Mississippi private entities should:
- Prepare policies that are in compliance with the act, and make such policies available to individuals whose biometric data is being obtained. Specifically, draft a policy that details the entity’s retention plan for the collection and storage of biometric identifiers, as well as guidelines for destroying the biometric identifiers. Compliance with such policies is key.
- Inform individuals, in writing, that you are collecting their biometric data. A private entity should also inform the individual, in writing, of the specific purpose and length of term for collecting the biometric data.
- Obtain written releases from individuals whose biometric identifiers are being collected, stored, and/or used.
- Use strong cybersecurity software and processes using a reasonable standard of care within the private entity’s industry to protect the biometric identifiers of individuals.
- Destroy the biometric identifiers upon request by the individual.
- Train management on the policies and the importance of protecting biometric identifiers so they can answer and alleviate individuals’ questions and/or concerns regarding the collection of their biometric identifiers.
A failure to comply with the act will have its consequences. The act creates a private right of action against an offending entity. If successful in proving their claims, individuals may recover the greater of $1,000 or actual damages for negligently violating the act or the greater of $5,000 or actual damages for intentionally or recklessly violating the act plus reasonable attorneys’ fees and costs, and other relief to which a court deems appropriate.
If passed, the act will take effect on July 1, 2023. For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.