A Legal Guide to PRIVACY AND DATA SECURITY 2024

State Laws-Social Security Numbers. Many states, including Minnesota, have enacted laws governing the use of social security numbers. Such laws generally prohibit the public posting or displaying of an individual’s social security number, the printing of a social security number on anything sent through the mail, prohibiting the sending of a social security number over the Internet without encryption, and/ or using a person’s social security number on any other cards, such as student ID cards. State Laws-Biometric Data. Biometric information, or physical and behavioral traits used to identify a particular person (i.e. fingerprints, facial features, etc.) has been the subject of several state privacy laws. Illinois was the first, passing the Biometric Information Privacy Act (BIPA) in 2008, which remains the strongest biometric privacy law in the country. BIPA requires private entities to obtain consent before collecting or disclosing biometric identifiers, to destroy stored biometric data in a timely fashion, and to store biometric data securely. Similar to the CCPA, BIPA also provides for a private right of action. Under BIPA, a person can recover liquidated damages of up to $5,000 or actual damages, whichever amount is greater, for an intentional or reckless violation of BIPA. In 2019 alone, there have already been over 160 class actions filed asserting BIPA violations. Texas also passed a biometric privacy law in 2009. Texas’ biometric privacy law is somewhat narrower than Illinois’. Texas defines biometric information as “a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry” and does not provide a private right of action. Washington passed H.B. 1493, effective July 23, 2017, which establishes requirements for businesses that collect and use biometric identifiers. The Washington law excludes facial recognition data and provides an exemption for biometric data collected for a “security purpose.” State Laws-Drivers’ Licenses and Identification Cards. New Jersey’s Personal Information Privacy Protection Act (PIPPA), which became effective October 1, 2017, limits the purposes for which businesses may scan customers’ identification cards and prohibits sharing that

128

Made with FlippingBook - Online Brochure Maker