Category: Biometric Privacy Legal Landscape

International Update: Canada and New Zealand

Post author By Blank Rome LLP
Post date September 11, 2025

Privacy Commissioner of Canada Publishes Guidance on Biometrics for Public and Private Sector

The Office of the Privacy Commissioner of Canada (“OPC”) has issued updated guidance for both public and private sector organizations on the responsible use of biometric technologies, such as facial recognition and fingerprint scanning. This guidance follows a public consultation held between November 2023 and February 2024, which included input from academia, civil society, businesses, legal associations, and individuals. The guidance emphasizes the need for a clear and appropriate purpose when collecting, using, or disclosing biometric data. Organizations must assess privacy risks, ensure proportionality, and implement safeguards to protect biometric information. The guidance outlines consent requirements, stresses transparency, and calls for accuracy testing of biometric systems.

New Zealand Privacy Commissioner Announces New Biometrics Rules

The New Zealand Privacy Commissioner has introduced a Biometric Processing Privacy Code (the “Code”) that will create specific privacy rules for businesses and organizations using biometric technologies such as facial recognition. The Code aims to balance innovation with the protection of sensitive personal data while ensuring that businesses and organizations using biometric systems do so safely, transparently, and proportionately. Key requirements of the Code include mandatory assessments of whether biometric use is effective and proportionate, implementation of safeguards to reduce privacy risks, and requirements to notify individuals when biometric data is being collected. The Code prohibits intrusive uses, such as predicting emotions or inferring protected characteristics like ethnicity or sex. The Code comes into force on November 3, 2025, with a grace period until August 3, 2026, for existing biometric systems to comply. It carries the same legal weight as the New Zealand Privacy Act Information Privacy Principles and replaces them for biometric-specific applications.

To read more articles from the September 2025 edition of Blank Rome’s BR Privacy & Security Download, please visit our website

Tags BR Privacy & Security Download, Canada, New Zealand

Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Colorado Attorney General Announces Adoption of Amendments to Colorado Privacy Act Rules + Attorneys General Oppose Clearview AI Biometric Data Privacy Settlement

Post author By Blank Rome LLP
Post date January 16, 2025

Colorado Adopts Amendments to CPA Rules

The Colorado Attorney General announced the adoption of amendments to the Colorado Privacy Act (“CPA”) rules. The rules will become effective on January 30, 2025. The rules provide enhanced protections for the processing of biometric data as well as the processing of the online activities of minors. Specifically, companies must develop and implement a written biometric data policy, implement appropriate security measures regarding biometric data, provide notice of the collection and processing of biometric data, obtain employee consent for the processing of biometric data, and provide a right of access to such data. In the context of minors, the amendment requires that entities obtain consent prior to using any system design feature designed to significantly increase the use of an online service of a known minor and to update the Data Protection Assessments to address processing that presents heightened risks to minors. Entities already subject to the CPA should carefully review whether they may have heightened obligations for the processing of employee biometric data, a category of data previously exempt from the scope of the CPA.

Attorneys General Oppose Clearview AI Biometric Data Privacy Settlement

A proposed settlement in the Clearview AI Illinois Biometric Information Privacy Act (“BIPA”) litigation is facing opposition from 22 states and the District of Columbia. The Attorneys General of each state argue that the settlement, which received preliminary approval in June 2024, lacks meaningful injunctive relief and offers an unusual financial stake in Clearview AI to plaintiffs. The settlement would grant the class of consumers a 23 percent stake in Clearview AI, potentially worth $52 million, based on a September 2023 valuation. Alternatively, the class could opt for 17 percent of the company’s revenue through September 2027. The AGs contend the settlement doesn’t adequately address consumer privacy concerns and the proposed 39 percent attorney fee award is excessive. Clearview AI has filed a motion to dismiss the states’ opposition, arguing it was submitted after the deadline for objections. A judge will consider granting final approval for the settlement at a hearing scheduled on January 30, 2025.

To read more articles from the January 2025 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Proposed Amendments to Colorado Privacy Act Rules + Landmark Ruling on Retroactive Application of BIPA Amendments

Post author By Blank Rome LLP
Post date December 10, 2024

Colorado AG Releases Revisions to Draft Colorado Privacy Act Rules

The Colorado Attorney General’s Office released the second version of its proposed amendments to the Colorado Privacy Act rules. This round of revisions seeks to take into account concerns expressed through public input to the first draft of the amendments. The rules address two laws amending the Colorado Privacy Act that heightened protections for biometric data and children’s data that were signed into law in 2024. The amendments to the Colorado Privacy Act require businesses operating in Colorado to keep written policies on how they handle and dispose of biometric data and to provide consumers with notice of the collection of biometric information take effect July 1, 2025. The draft rules define the notice and consent requirements for biometric data, including notice and consent requirements for employees, contractors, and subcontractors. Amendments to the Colorado Privacy Act relating to children’s data take effect on October 1, 2025, and will require companies to use “reasonable care” to avoid harms to a consumer they know is under 18 and limit use and collection of minors’ data.

Blank Rome Secures Landmark Ruling on Retroactive Application of BIPA Amendments

A Blank Rome team representing DNJ Intermodal Services LLC prevailed in striking the complainant’s prayer for relief, which sought $1,000 or $5,000 for each of the thousands of times six plaintiffs allegedly had their hands scanned at work. Will County Judge Roger D. Rickmon found—perhaps the first among Illinois state judges—that a recent amendment to the Biometric Information Privacy Act (“BIPA” or “the Act”), which stipulates that a business collecting identical biometric data multiple times from the same person in violation of the law is liable for only a single violation, applies retroactively to claims that arose and were filed prior to August 2, 2024, the effective date of the Act. This landmark ruling shaves potential BIPA damages for most pending cases from astronomical damages of millions (or hundreds of millions) of dollars to $1,000 or $5,000 per person. The question of whether BIPA’s amendment applies retroactively is simmering in courts throughout the state of Illinois and is expected to eventually make its way up to Illinois’ Courts of Appeals and perhaps the Illinois Supreme Court. The Blank Rome team representing DNJ Intermodal Services LLC included Daniel Saeedi, Rachel Schaller, Jeffrey N. Rosenthal, Amanda Noonan, and Gabrielle Ganze.

To read more articles from the December 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Tags Biometric Information Privacy Act, BIPA, BR Privacy & Security Download, Colorado, Colorado Privacy Act, retroactive application

Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Case Law Developments Class Action Litigation Defense Strategies

Texas Attorney General Reaches Largest-Ever Biometrics Settlement with Meta

Post author By Blank Rome LLP
Post date August 28, 2024

Amanda M. Noonan |

On July 30, 2024, a Texas state court issued an Order finalizing the largest-ever biometrics settlement, between the Texas Attorney General and Meta for a staggering $1.4 billion. The settlement resolves a longstanding civil action brought by the Texas Attorney General in 2022 asserting violations under Texas’s Capture or Use of Biometric Identifier Act (“CUBI”).

Tags Capture or Use of Biometric Identifier Act, CUBI, settlement, Texas

Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Illinois Governor Signs the First Amendment to BIPA Since Its Passage 16 Years Ago

Post author By Blank Rome LLP
Post date August 13, 2024

Daniel R. Saeedi, Rachel L. Schaller, and Gabrielle N. Ganze |

An amendment to Illinois’ biometric privacy law, the Illinois Biometric Information Privacy Act (“BIPA”) has finally become law. And, this amendment implements major changes to how damages accrue under BIPA.

Tags BIPA, Illinois, Illinois Biometric Information Privacy Act

Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Case Law Developments

Northern District of Illinois Weighs in on Employment-Related Examinations under Illinois’ GIPA

Post author By Blank Rome LLP
Post date August 5, 2024

Gabrielle N. Ganze |

In an important privacy law development, United States District Court for the Northern District of Illinois, Judge Sharon Johnson Coleman, has issued two of the first federal decisions applying a substantive analysis to provisions of the Illinois Genetic Information Privacy Act, 410 ILCS 513/1 et seq. (“GIPA”) as it relates to employment-related examinations.

Tags Biometric Information Privacy Act, BIPA, employment, genetic information, Genetic Information Nondiscrimination Act, Genetic Information Privacy Act, GINA, GIPA, Illinois, Illinois Biometric Information Privacy Act, Illinois Genetic Information Privacy Act

Biometric Privacy Legal Landscape Legislative Developments & Trends

BIPA Amendments + FTC Warns Automakers

Post author By Blank Rome LLP
Post date June 11, 2024

Amendments to the Illinois Biometric Information Privacy Act Would Dramatically Affect Accrual of Damages

The Illinois Legislature approved Senate Bill 2979 (“S.B. 2979”) to amend the Biometric Information Privacy Act (“BIPA”). SB 2979 would limit the extent of potential civil penalties awarded under BIPA by clarifying that multiple collections of a person’s biometric identifier or biometric information using the same method of collection is considered a single violation of BIPA. Once signed, S.B. 2979 will overturn the Illinois Supreme Court’s interpretation of accrual of damages under BIPA in Cothron v. White Castle Sys., Inc., which held that separate BIPA claims accrued with each scan or transmission. SB 2979 further provides that BIPA’s “written release” requirement may be met by an electronic signature.

Senators Call on FTC to Investigate Automakers; FTC Issues Warning to Automakers

Senators Ron Wyden and Edward Markey issued a letter to the Federal Trade Commission (“FTC”) Commissioner Lina Khan requesting that the FTC investigate major automakers’ sharing of geolocation data in response to law enforcement requests. The letter follows an inquiry by Senator Wyden’s office, which asked the association representing automakers how their members respond to law enforcement requests for location information collected from vehicles. The letter alleges that several auto manufacturers do not require a warrant or court order to provide geolocation information to law enforcement as required by their pledge under the Consumer Privacy Protection Principles of the Alliance of Automobile Manufacturers and the Association of Global Automakers. Two weeks later, the FTC released a post to its Technology Blog reminding car manufacturers, and all businesses, that the FTC will take action to protect consumers against unfair and deceptive practices with respect to the collection, use, and sharing of data, particularly sensitive personal data such as geolocation and biometric data.

To read more articles from the June 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Tags automakers, BIPA, BR Privacy & Security Download, damages, Illinois, Illinois Biometric Information Privacy Act, vehicles

Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Legislative Developments & Trends

Maryland Passes Unique and Operationally Challenging Privacy Law

Post author By Blank Rome LLP
Post date May 21, 2024

Philip N. Yannella, Sharon R. Klein, Timothy W. Dickens, and Jason C. Hirsch |

Maryland recently became the fifth state in 2024—and the 17th U.S. state overall—to pass a comprehensive data privacy law. Effective October 1, 2025, the Maryland Online Data Privacy Act (“MODPA”) contains a number of unique provisions that govern the processing of sensitive and children’s data, among other things. These unique provisions, combined with the broad applicability of the law, makes MODPA one of the more operationally challenging privacy laws passed in the United States to date.

Scope and Applicability

MODPA applies to individuals that do business in Maryland or target services to Maryland residents and who, during the prior calendar year, either controlled or processed the personal data of at least 35,000 Maryland residents or controlled or processed the personal data of at least 10,000 Maryland residents and derived more than 20 percent of their gross revenue from the sale of personal data. The 35,000 threshold is 0.56 percent of Maryland’s total population of 6.18 million and is notably lower than other state privacy laws. Most U.S. states set a threshold for processing of 100,000 state residents. Only Delaware, with a population of 990,000, has a processing threshold as low as Maryland’s. The law also lacks a full exemption for non-profit institutions as well as institutions of higher education.

The relatively low threshold for compliance combined with the lack of familiar exemptions means that MODPA will likely trigger compliance obligations for a swath of institutions that haven’t had to comply with many other U.S. state privacy laws.

Read the full client alert on our website.

Tags Maryland, Maryland Online Data Privacy Act, MODPA

Biometric Privacy Legal Landscape Case Law Developments The Lighter Side of Biometrics

Monthly BIPA Filings: April 2024

Post author By Blank Rome LLP
Post date May 14, 2024

Daniel R. Saeedi |

Biometric Information Privacy Act (“BIPA”) filings continue to occur in the Illinois courts. April saw 53 new BIPA complaints filed in Illinois, the vast majority of which were brought in Cook County.

Facial geometry cases continue to rise, with eight explicit face scan cases being filed, and an additional twelve cases that hint at facial recognition technology.
The transportation industry continues to be the sector seeing the most BIPA complaints filed against it (18), with the food, health, and beauty sectors also being hit with multiple BIPA claims.

Companies using any form of biometric technology in Illinois should be aware of this highly litigious environment and make sure that such use is in compliance with the law. This is especially true for businesses operating in the transportation, trucking, and logistics sectors, given the above trends.

Tags Biometric Information Privacy Act, BIPA, Illinois, Illinois Biometric Information Privacy Act, Monthly BIPA Filings

Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Legislative Developments & Trends

The Oregon Consumer Data Privacy Act Takes Effect July 1, 2024

Post author By Blank Rome LLP
Post date May 13, 2024

Gabrielle N. Ganze |

With its passage of Oregon Consumer Data Privacy Act (“OCDPA”), Oregon became one of 16 states to pass comprehensive data privacy laws.

Regulated Entities and Data

The OCDPA generally applies to any person who meets two requirements:

conducts business in the state, or “provides” products or services to Oregon’s residents; and
within a calendar year, controls or processes personal data of
- 100,000 or more consumers, or
- 25,000 or more consumers and also derives at least 25 percent of its gross revenue from selling personal data.

“Personal data” regulated by the Act broadly includes any “derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”

The OCDPA imposes additional requirements for personal data that is considered “sensitive data.” Such data includes children’s data; genetic or biometric data; precise geolocation data; or data that “reveals a consumer’s” national origin, citizen or immigration status, racial or ethnic background, religious beliefs, mental or physical condition/diagnosis, sexual orientation, transgender or non-binary status, or status as a victim of crime. This definition of sensitive data is more expansive that other privacy statutes with its inclusion of categories such as transgender or non-binary status.

Tags OCDPA, Oregon, Oregon Consumer Data Privacy