The legislation would establish a number of rules, such as requiring private entities to create a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers.
Once such a policy is established, it would have to be shared with anyone whose biometric information is collected, and all biometric data must be destroyed within one year of the person’s last interaction with a private entity or when the data collection’s initial purpose has been satisfied.
The bill would also not allow private entities to collect, purchase, sell, lease, trade, obtain or disseminate a person’s biometric information without their knowledge or consent.
Under the legislation, if someone’s biometric data were wrongfully obtained or shared, private entities could face fines of no less than $5,000 per violation.
"The important part of the bill is establishing protections for this type of data and, of course, remedying any issues if someone’s information was released or compromised,” Sen. Michael Moore said.
On the flip side, Moore said, the challenge is finding out how this information is being obtained and establishing guidelines for businesses to protect it.
Another issue is dealing with companies’ disregard for consumers’ personal privacy and safety, according to Sen. Mark Montigny.
“For far too long, companies in this sector have been obsessed with nothing but profit ... Their insidious level of data mining violates our very basic principles of personal privacy and autonomy,” Montigny said via email.
"Yet,” Montigny continued, “dim-witted regulators and inept politicians have indulged this behavior for years, creating a 21st-century Wild West where our most intimate information is up for grabs.”
Montigny stressed the importance of U.S. federal and state governments working together to place limits on the industry through legislation.
The bill would also establish a private right of action that would allow individuals to enforce the law if companies violate it and unlawfully collect or use biometric data, said Kade Crockford, director of the Technology for Liberty Program at the ACLU of Massachusetts, via email.
Crockford also emphasized the importance of state legislatures taking action to give residents control over their own biometric information.
Specifically, she said, state laws should sensitively treat biometric data by prohibiting corporations from collecting it without consent and regulating the ways corporations can use these records.
As for the ultimate fate of the bill, Moore said that “the best approach to getting this passed is looking at how we are dealing with cyber issues" and "incorporating guidelines" from previous bills.
