USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
Washington Washington’s law prohibits the enrollment of biometric data for a commercial purpose – ie, for marketing products that are unrelated to the initial transaction in which the data was collected – without advance notice, consent or a mecha - nism that notifies consumers of the subsequent use of the biometric data for a commercial pur - pose. Other Sector-Specific State Privacy Statutes State privacy laws also cover additional issues, such as the following. Wiretapping/electronic eavesdropping All 50 states prohibit surreptitious interception of private electronic communications and monitor - ing or recording of private in-person and elec - tronic communications without the consent of at least one of the participants to the communi - cation, subject to exceptions. 12 states require consent of all participants. Student privacy laws Most states have enacted laws that limit how operators of websites, applications and online services that market and provide their prod - ucts and services to K-12 schools and school districts collect, use and disclose the personal information of students. Data breach notification and data security All US states and most US territories have enact - ed data breach notification laws. These laws generally require entities that own, license or maintain personal information of state residents to notify individuals in the event of unauthorised access to acquisition of personal information about those individuals. Such laws typically apply to a core set of personal information, such as:
Washington Consumer Protection Act, unlike state consumer privacy laws. Nevada Nevada’s Consumer Health Data Law (NVCHDL) is like Washington’s MHMD, except that it has no private right of action. Sector-Specific State Privacy Statutes: Biometric Data Three US states (Illinois, Texas and Washing - ton) have laws that govern the collection, use, disclosure and storage of biometric data. Such data typically includes retina or iris scans, fin - gerprints, voiceprints and scans of hand or face geometry. All of these statutes impose notice and consent obligations on covered entities, although specific requirements vary. Illinois The Biometric Information Privacy Act (BIPA) prohibits collection of biometric data without specific advance notice and express consent in writing. It prohibits the selling, leasing or trad - ing of, or profiting from, biometric data under any circumstances, without any exception for consent. The BIPA also uniquely requires com - panies to provide a publicly available policy that includes a retention schedule and destruction guidelines for biometric data. The BIPA provides a private right of action allowing for the recovery of statutory and actual damages. Texas The Capture or Use of Biometric Identifier Act (CUBI) prohibits the capture of biometric data for a commercial purpose without advance notice and express consent. The CUBI prohibits the sale, lease or other disclosure of biometric data to third parties unless one of several very narrow exceptions applies.
531 CHAMBERS.COM
Powered by FlippingBook