Legislators in Maryland on Wednesday heard testimony from supporters and detractors of a bill that would set stringent privacy requirements on companies that collect biometric signifiers, including fingerprints, voiceprints, facial scans and retinal images from their customers.
House Bill 259, which was brought up for debate by the Maryland House of Delegates’ Economic Matters Committee, would allow companies doing business in the state to only use those biometric technologies if they get written consent from customers, set firm calendars for retention and destruction of that data and block companies from conditioning service on data collection.
The bill would also give Marylanders what’s known as a private right of action, the ability to sue companies individually if they believe their biometric information is being improperly collected or used.
“Right now there are no rules,” Democratic Del. Sara Love, the bill’s lead sponsor, said during the hearing. “This bill sets guardrails for the collection of biometrics.”
Love said that technologies like facial recognition have a track record of misidentifying people, particularly Black men and women, which has sometimes led to wrongful arrests. But Love also pointed to instances that’ve occurred in consumer environments, such as one last July, when a 14-year-old girl was kicked out of a Detroit-area roller rink after the venue’s facial-recognition cameras misidentified her as a different girl who’d been in a fight there.
The bill’s also drawn the support of groups like the American Civil Liberties Union, which argues that breaches or exposures of biometric data can be graver than those of other types of personal information.
“If our biometric identifiers are disseminated or leaked, the harm can be irreparable because unlike a credit-card number, they cannot be changed,” Nate Wessler, an ACLU lawyer, said during the hearing.
Love’s bill appears to be modeled on Illinois’ Biometric Information Privacy Act, or BIPA, which has been on the books there since 2008, much to the consternation of the tech industry and other business lobbies because it includes a private right of action. (Washington and Texas also have biometric privacy laws, but do not include that legal mechanism.)
Numerous lawsuits have been brought under the Illinois act, especially against retailers as more brick-and-mortar stores add facial-recognition platforms, like Clearview AI, to their security operations. The hardware chains Lowe’s and Home Depot were sued in 2019, while Macy’s has been fighting a suit in Chicago federal court since summer 2020.
Tech-industry representatives on Wednesday told the Maryland lawmakers that Love’s bill, as currently drafted, would bring more of the same.
“Much like Chris Stapleton took a song from the early 80s and gave it new life, HB 259 is riffing on a 2008 law in Illinois. Unlike ‘Tennessee Whiskey,’ however, we believe the original in this case does not merit a cover,” said Chris Gilrein, executive director of TechNet, a trade group for tech executives, referencing the country singer’s 2015 rendition of a 1981 Nashville hit.
Several other industry representatives said the bill could curtail use of products like home-security systems that read visitors’ faces and internet-connected audio devices that use voice recognition.
The Maryland biometric privacy bill will be read at least two more times before legislators vote on it.