Modern technologies found in sensors, software, and readers make it increasingly possible to use fingerprints, facial recognition, retinal or iris scans, voiceprint reading, gait analysis, or keystroke analysis to identify a person.
In response to these technologies, some state legislatures (Arkansas, California, Illinois, New York, Texas, Washington) have enacted biometric information privacy laws that govern the collection and use of this data.
For example, in Illinois, the Biometric Information Privacy Act (BIPA) provides a set of rules for companies collecting biometric data—and unlike the biometric data privacy statutes in Texas and Washington, it creates a private cause of action, allowing Illinois residents whose biometric data is improperly collected or used to file a lawsuit for the violation of the statute.
There are essentially five key features of the Illinois law known as BIPA:
• it requires informed consent prior to collection;
• it prohibits any profiting from biometric data;
• it allows only a limited right to disclose the data;
• it sets forth both protection obligations and data retention guidelines for businesses; and
• it creates a private cause of action for those harmed by BIPA violations.
As of my knowledge cutoff date in early 2023, Massachusetts does not have a comprehensive biometric information privacy law similar to the Biometric Information Privacy Act (BIPA) of Illinois. While Massachusetts has general laws regarding privacy and data protection, such as the Massachusetts Data Security Law (M.G.L. Chapter 93H) which requires businesses to protect personal information, and the Massachusetts Consumer Protection Act (M.G.L. Chapter 93A) which prohibits unfair or deceptive acts or practices, there is no specific statute that addresses the collection, use, and storage of biometric data in the same manner as BIPA. Companies operating in Massachusetts are subject to federal laws such as the Children's Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA), which may have implications for biometric data, but these do not provide the same level of specificity or the private right of action that BIPA does. Residents of Massachusetts concerned about the use of their biometric data would need to rely on the broader privacy protections provided by state and federal law, or advocate for the passage of specific biometric privacy legislation in the state.
