Tag: BR Privacy & Security Download

International Update: Canada and New Zealand

Post author By Blank Rome LLP
Post date September 11, 2025

Privacy Commissioner of Canada Publishes Guidance on Biometrics for Public and Private Sector

The Office of the Privacy Commissioner of Canada (“OPC”) has issued updated guidance for both public and private sector organizations on the responsible use of biometric technologies, such as facial recognition and fingerprint scanning. This guidance follows a public consultation held between November 2023 and February 2024, which included input from academia, civil society, businesses, legal associations, and individuals. The guidance emphasizes the need for a clear and appropriate purpose when collecting, using, or disclosing biometric data. Organizations must assess privacy risks, ensure proportionality, and implement safeguards to protect biometric information. The guidance outlines consent requirements, stresses transparency, and calls for accuracy testing of biometric systems.

New Zealand Privacy Commissioner Announces New Biometrics Rules

The New Zealand Privacy Commissioner has introduced a Biometric Processing Privacy Code (the “Code”) that will create specific privacy rules for businesses and organizations using biometric technologies such as facial recognition. The Code aims to balance innovation with the protection of sensitive personal data while ensuring that businesses and organizations using biometric systems do so safely, transparently, and proportionately. Key requirements of the Code include mandatory assessments of whether biometric use is effective and proportionate, implementation of safeguards to reduce privacy risks, and requirements to notify individuals when biometric data is being collected. The Code prohibits intrusive uses, such as predicting emotions or inferring protected characteristics like ethnicity or sex. The Code comes into force on November 3, 2025, with a grace period until August 3, 2026, for existing biometric systems to comply. It carries the same legal weight as the New Zealand Privacy Act Information Privacy Principles and replaces them for biometric-specific applications.

To read more articles from the September 2025 edition of Blank Rome’s BR Privacy & Security Download, please visit our website

Tags BR Privacy & Security Download, Canada, New Zealand

Biometric Privacy Legal Landscape Case Law Developments Legislative Developments & Trends

Proposed Amendments to Colorado Privacy Act Rules + Landmark Ruling on Retroactive Application of BIPA Amendments

Post author By Blank Rome LLP
Post date December 10, 2024

Colorado AG Releases Revisions to Draft Colorado Privacy Act Rules

The Colorado Attorney General’s Office released the second version of its proposed amendments to the Colorado Privacy Act rules. This round of revisions seeks to take into account concerns expressed through public input to the first draft of the amendments. The rules address two laws amending the Colorado Privacy Act that heightened protections for biometric data and children’s data that were signed into law in 2024. The amendments to the Colorado Privacy Act require businesses operating in Colorado to keep written policies on how they handle and dispose of biometric data and to provide consumers with notice of the collection of biometric information take effect July 1, 2025. The draft rules define the notice and consent requirements for biometric data, including notice and consent requirements for employees, contractors, and subcontractors. Amendments to the Colorado Privacy Act relating to children’s data take effect on October 1, 2025, and will require companies to use “reasonable care” to avoid harms to a consumer they know is under 18 and limit use and collection of minors’ data.

Blank Rome Secures Landmark Ruling on Retroactive Application of BIPA Amendments

A Blank Rome team representing DNJ Intermodal Services LLC prevailed in striking the complainant’s prayer for relief, which sought $1,000 or $5,000 for each of the thousands of times six plaintiffs allegedly had their hands scanned at work. Will County Judge Roger D. Rickmon found—perhaps the first among Illinois state judges—that a recent amendment to the Biometric Information Privacy Act (“BIPA” or “the Act”), which stipulates that a business collecting identical biometric data multiple times from the same person in violation of the law is liable for only a single violation, applies retroactively to claims that arose and were filed prior to August 2, 2024, the effective date of the Act. This landmark ruling shaves potential BIPA damages for most pending cases from astronomical damages of millions (or hundreds of millions) of dollars to $1,000 or $5,000 per person. The question of whether BIPA’s amendment applies retroactively is simmering in courts throughout the state of Illinois and is expected to eventually make its way up to Illinois’ Courts of Appeals and perhaps the Illinois Supreme Court. The Blank Rome team representing DNJ Intermodal Services LLC included Daniel Saeedi, Rachel Schaller, Jeffrey N. Rosenthal, Amanda Noonan, and Gabrielle Ganze.

To read more articles from the December 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Tags Biometric Information Privacy Act, BIPA, BR Privacy & Security Download, Colorado, Colorado Privacy Act, retroactive application

Biometric Privacy Legal Landscape Legislative Developments & Trends

BIPA Amendments + FTC Warns Automakers

Post author By Blank Rome LLP
Post date June 11, 2024

Amendments to the Illinois Biometric Information Privacy Act Would Dramatically Affect Accrual of Damages

The Illinois Legislature approved Senate Bill 2979 (“S.B. 2979”) to amend the Biometric Information Privacy Act (“BIPA”). SB 2979 would limit the extent of potential civil penalties awarded under BIPA by clarifying that multiple collections of a person’s biometric identifier or biometric information using the same method of collection is considered a single violation of BIPA. Once signed, S.B. 2979 will overturn the Illinois Supreme Court’s interpretation of accrual of damages under BIPA in Cothron v. White Castle Sys., Inc., which held that separate BIPA claims accrued with each scan or transmission. SB 2979 further provides that BIPA’s “written release” requirement may be met by an electronic signature.

Senators Call on FTC to Investigate Automakers; FTC Issues Warning to Automakers

Senators Ron Wyden and Edward Markey issued a letter to the Federal Trade Commission (“FTC”) Commissioner Lina Khan requesting that the FTC investigate major automakers’ sharing of geolocation data in response to law enforcement requests. The letter follows an inquiry by Senator Wyden’s office, which asked the association representing automakers how their members respond to law enforcement requests for location information collected from vehicles. The letter alleges that several auto manufacturers do not require a warrant or court order to provide geolocation information to law enforcement as required by their pledge under the Consumer Privacy Protection Principles of the Alliance of Automobile Manufacturers and the Association of Global Automakers. Two weeks later, the FTC released a post to its Technology Blog reminding car manufacturers, and all businesses, that the FTC will take action to protect consumers against unfair and deceptive practices with respect to the collection, use, and sharing of data, particularly sensitive personal data such as geolocation and biometric data.

To read more articles from the June 2024 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Tags automakers, BIPA, BR Privacy & Security Download, damages, Illinois, Illinois Biometric Information Privacy Act, vehicles