Establishes a new Chapter 93M into the General Laws, entitled “Biometric Information Privacy Act.” In particular the bill:
Defines “biometric identifier” as a physiological or biological characteristic used to identify an individual (e.g. fingerprint, face scan, retina or iris, voiceprint, gait). Excluded from this definition are writing samples, signatures, photographs, demographic data, tattoos, physical descriptions, organs, tissues, blood or serum for transplants, medical imaging (X-ray, MRI, CT, PET, etc.) used for diagnosing or treatment, biometric info collected in health care contexts for treatment, payment, and operations under HIPAA.
Private entities must establish a written policy for how long biometric data is kept, and guidelines for destruction once the original purpose is satisfied or within 1 year after last interaction (whichever comes first).
Before collecting biometric data a private entity must inform the individual in writing that biometric identifiers or information will be collected or stored, about the specific purpose and duration of collection or use, and to obtain written consent (which can be electronic).
Entities may not sell, lease, trade, or profit from someone’s biometric identifier or info, and may not disclose or re-disclose the data except with certain enumerated exceptions.
Entities must use a “reasonable standard of care” in storing, transmitting, protecting biometric data and must protect it at least as robustly as other “confidential and sensitive information” held by the entity.
Commercial establishments may not use biometric identifiers or info to identify a person for commercial purposes (for example, they cannot run you through a “face scan” in a store to identify who you are just because you walk in).
Establishes a “private right of action” under which aperson aggrieved by a violation may sue under Chapter 93A (Massachusetts consumer protection law), with d amages of at least $5,000 per violation, or actual damages, whichever is greater. If the court finds a willful or knowing violation, damages may be 2× to 3× that amount. Attorney’s fees and costs may also be awarded.
The Attorney General may separately enforce these provisions, also using Chapter 93A for violations or suspected violations, with the same damages floor.
Establishes rules of construction that the provisions are not to be construed to interfere with admissibility or discovery of biometric data in courts, tribunals, or agencies, or any provisions of HIPAA or federal law regarding health data (i.e. it doesn’t override HIPAA’s protections or requirements).