Maryland’s Biometrics Bill Fails to Strike the Right Balance for Privacy and Innovation

Ashley Johnson February 18, 2022
February 18, 2022

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

As Congress continues to delay passing comprehensive federal data-privacy legislation, state and local governments are attempting to fill in the gaps, with mixed results for businesses and consumers. Like many other states and cities across America, Maryland has turned its attention to biometrics technologies, including facial recognition and other technologies that identify individuals using their unique physical characteristics. While Maryland’s proposed legislation to establish rules surrounding the use of biometrics technologies is a step ahead of other localities’ attempts to outright ban its use, the bill fails to strike the right balance between privacy and innovation.

Maryland’s Biometric Identifiers Privacy Act (BIPA) would require that companies obtain consent before collecting biometric information and tell consumers what information is being taken and stored and for how long. It would also ban companies from profiting off of consumers’ biometric information, create rules for when companies must delete this information, and establish a private right of action, allowing consumers to sue companies that break the rules even if there is no harm.

Some of these rules would increase consumer privacy without placing an undue burden on businesses. For example, transparency rules—requiring companies to disclose what information they collect, how they store that information, and how long they store it—would allow consumers to make informed decisions about their personal data. However, other rules laid out in BIPA would negatively affect Maryland’s data economy.

First, requiring that businesses obtain written consent to collect consumers’ biometric information—an opt-in requirement—is costlier than the alternative, an opt-out requirement, and these expenses are passed on to consumers. But it does not provide greater privacy protections to consumers since either way individuals can choose whether to share their information.

Second, a private right of action is even costlier, subjecting companies to a flood of expensive lawsuits, often with minimal payouts for actual consumers. In Illinois, where a similar law has been on the books, companies have been subject to over a thousand class action lawsuits. Even when these lawsuits have no merit, companies must pay lawyers long enough for the lawsuits to be dismissed. The only people who benefit from this arrangement are privacy lawyers.

Even if Maryland’s proposed law did not contain an expensive opt-in requirement and private right of action, addressing data privacy on a state-by-state and issue-by-issue level is an inefficient approach. A single, comprehensive federal data privacy law that addresses all forms of personal data, including biometrics, and applies nationwide would make compliance easier for businesses and provide all Americans with the same level of privacy protection. But as long as Congress drags its feet on passing any such legislation, state and local governments will continue to pass legislation of their own that, like BIPA, often fails to consider the potential economic impact of new regulations.