The Regulation and Use of Biometric Data Act Exposed
The Regulation and Use of Biometric Data Act was considered by ALEC's Public Safety and Elections Task Force at the 2012 Spring Task Force Summit on May 11, 2012. This bill was part of the ALEC task force agenda between 2010 and 2012, but due to incomplete information, it is not known if the bill passed in a vote by legislators and lobbyists at ALEC task force meetings, if ALEC sought to distance itself from the bill as the public increased scrutiny of its pay-to-play activities, or if key operative language from the bill has been introduced by an ALEC legislator in a state legislature in the ensuing period or became binding law.
ALEC Draft Bill Text
Summary
This Act protects an individual’s privacy and personal identification information by providing specific guidance and regulations on how biometric identification data may be collected, used, and stored. Though the use of biometric data can be necessary to ensure proper identification in specific settings, it is imperative that this data neither be mishandled nor misused.
Model Legislation
Section 1. {Definitions}
The following definitions apply in this Act:
(A) "Biometric data" means fingerprints, handprints, voices, facial mapping, iris images, retinal images, vein scans, hand geometry, or finger geometry.
(B) "Biometric information" means biometric data that is used in a biometric system for fingerprint recognition, hand geometry recognition, finger geometry recognition, voice recognition, facial recognition, iris scans, retinal scans, or vein recognition.
(C) "Biometric system" means an automated system capable of:
- (1) Capturing biometric data from an individual's biometric information;
- (2) Extracting and processing the biometric data captured under of this Subsection;
- (3) Storing the biometric data extracted under Subsection (2) of this Subsection;
- (4) Comparing the biometric data extracted under Subsection (2) of this Subsection with biometric data stored for the individual for use in future recognition of the individual; and
- (5) Determining how well the extracted and stored biometric data match when compared under Subsection (4) of this Subsection, and indicating whether an identification or verification of identity has been achieved;
(D) "Collector" means a person who collects the biometric information of another individual.
(E) "Contractor" means a person who contracts with a collector to store the biometric information collected by the collector, and includes a person to whom the contractor sells the contractor's business and transfers the biometric information.
(F) "Facial mapping" means the use of digital technology to measure the features of an individual's face.
(G) "Facial recognition" means the use of facial mapping for recognition purposes.
(H) "Finger geometry recognition" means the use of the shape and dimensions of one or more fingers for recognition purposes.
(I) "Fingerprint recognition" means the use of the physical structure of an individual's fingerprint for recognition purposes.
(J) "Governmental entity" means a state agency, a municipality, and an agency of a municipality; in this Subsection, "state agency" means an agency of the executive, judicial, or legislative branch of state government.
(K) "Hand geometry recognition" means the use of the physical structure of an individual's hand for recognition purposes.
(L) "Iris scan" means the use of an image of the physical structure of an individual's iris for recognition purposes.
(M)"Retinal scan" means the use of the pattern of blood vessels in an individual's eye for recognition purposes.
(N) "Vein recognition" means the use of the veins in an individual's skin for recognition purposes.
Section 2. {Biometric information collection}
(A) A person may not collect the biometric information of another individual unless the person first:
- (1) Notifies the individual in a clear manner that the biometric information is being collected, the specific purpose for which the biometric information will be used, and how long the biometric information will be kept; and
- (2) Receives, in a written, electronic, or other form by which the consent can be documented, the individual's full consent to the collection of the biometric information, the specific purpose for which the biometric information will be used, and how long the biometric information will be kept.
(B) Unless the individual's biometric information was needed for a specific authorized law enforcement, security, or fraud prevention purpose, an individual may, at any time, revoke or amend the individual's consent provided under Subsection (A) of this Section.
(C) Any collection of a digital photo image with a pixel count exceeding the following perimeters is considered a biometric sample and accordingly is to be considered biometric information. Where the width of the head is forty-nine (49) pixels or more of resolution, which corresponds to a maximum full image width of eighty-five (85) pixels or more of resolution, and an image height of one hundred six (106) pixels or more of resolution
Section 3. {Disclosure of biometric information}
(A) A collector and a collector's contractor may not disclose, transfer, or distribute the biometric information of another individual, except to a contractor or to a person to authenticate the identity of the individual providing the biometric information.
(B) A disclosure, transfer, or distribution under Subsection (A) of this section may only be made for the original purpose for which the information was collected.
Section 4. {Sale of biometric information}
(A) A person may not sell biometric information, except that a contractor may sell the contractor's business to another person and transfer the biometric information to the buyer.
Section 5. {Alternate identification}
(A) If a person who administers an occupational examination requires an individual taking the examination to provide biometric information to the person for the purpose of identifying the individual taking the examination, the person may not require that the individual provide the biometric information if the individual provides the person with a valid state issued identification card including but not limited to a state driver’s license or a valid federal identification card including but not limited to a U.S. passport to the person administering the occupational examination.
(B) In this section, "occupational examination" includes an examination required for admission to an institution of higher learning.
Section 6. {Disposal}
(A) When a collector no longer needs an individual's biometric information for the collector's original purpose, or if an individual requests in writing that the individual's biometric information be removed from all databases or other storage systems and be permanently destroyed, the collector and the collector's contractor, if any, shall, within 120 days and unless prohibited by other law, a regulation, or a court order, remove the individual's biometric information from all databases and storage systems and destroy the biometric information.
(B) Within 30 days after determining that the collector no longer needs an individual's biometric information for the collector's original purpose or that the individual has requested the removal and destruction, the collector shall notify the collector's contractor, if any, that the collector is to remove the individual's biometric information from all databases and storage systems and destroy the biometric information.
Section 7. {Use of biometric information}
(A) A collector may not use biometric information for marketing purposes or for general surveillance purposes, but a collector may use the biometric information for a specific authorized security or fraud prevention purpose in addition to the specific purpose for which the biometric information was collected.
Section 8. {Storage of biometric information}
(A) A collector and a contractor shall store an individual's biometric information in a secure manner, which may include encryption or another appropriate method, to ensure that the identity of the individual who provided the biometric information is protected.
Section 9. {Right of action}
(A) Except as provided in Subsection (B) of this Section, an individual may bring a civil action against a person who knowingly violates this Act. A person who violates this Act is liable to the individual for actual damages and a penalty of $5,000, except that, if the violation resulted in profit or monetary gain to the person, the penalty is $100,000.
(B) An action for damages, a penalty, or both may not be brought against the state, the agencies of the state, or the officers or employees of the state or the agencies of the state for violations of this Act or for other claims arising under this Act.
Section 10. {Exemptions}
(A) This Act does not apply to the collection, retention, analysis, disclosure, or distribution of:
- (1) Biometric information for a law enforcement purpose provided a search warrant is issued for the purposes of the identification of perpetrators, or the investigation of crimes, the identification of a reported missing person, the identification of unidentified persons provided the unidentified person has committed an offense or violation of law for which would a physical custody arrest is required, or the identification of human remains; or
- (2) Biometric information when authorized by a mandatory state or federal law.
(B) This Act does not apply to the retention of voices recorded for quality assurance purposes.
Section 11. {Severability clause}
Section 12. {Repealer clause}
Section 13. {Effective date}