Consumer Electronics Daily was a Warren News publication.

Md. Senate Panel Mulls Biometric Privacy Bill

A private right of action is key to a strong biometric privacy bill in Maryland, said state Sen. Brian Feldman (D) at a Senate Finance Committee meeting livestreamed Wednesday. One problem with allowing only attorney general enforcement is the office's limited resources, said the SB-169 sponsor. "Businesses will simply ignore the law” if individuals can’t sue, said Electronic Privacy Information Center counsel Jake Wiener. Bring back the stronger PRA from last year’s Senate bill, he said. The enforcement provision is more limited in this year’s edition, agreed Feldman: It's based on last year’s House-passed bill, but the committee is welcome to amend. The Computer and Communications Industry Association wants only AG enforcement, with a 30-day right to cure alleged violations. “By creating a new private right of action, the measure would open the doors of Maryland’s courthouses to plaintiffs advancing frivolous claims with little evidence of actual injury,” said CCIA State Policy Director Khara Boender in written testimony. SB-169, which requires opt-in consent and applies only to private entities, puts "basic guardrails" to protect increasingly used biometric information like fingerprints and facial recognition scans, said Feldman. “There are essentially no rules” now on how long businesses can retain data and what they can do with it, he said. Assistant AG Hanna Abrams supported the bill, noting there are currently no restrictions on how companies use data. But CCIA said the bill goes “far beyond protecting” consumers’ biometric data, “which could result in degraded consumer services and experience.” Including a definition and compliance obligations for personal information extends the bill’s scope beyond biometrics, it said. “Requiring specific user consent for any data collection or processing would be inconsistent with consumer expectations, introduce unnecessary friction … and likely overwhelm consumers.” Extend the proposed Oct. 1 effective date, added CCIA, noting California, Colorado and Virginia privacy laws delayed enforcement by two years. Other opponents included TechNet and the Maryland Chamber of Commerce.