PrivacyVirginia, Oklahoma, and Florida Join Growing List of States With Proposed Privacy Legislation

Virginia, Oklahoma, and Florida Join Growing List of States With Proposed Privacy Legislation

Since California’s Consumer Privacy Act (CCPA) was passed in 2018, Beckage has seen a slew of other states follow suit in proposing and enacting their own comprehensive data privacy bills. Most recently, lawmakers in Virginia, Oklahoma, and Florida have joined the growing list of states with proposed privacy bills. So far this year, New York, Washington, and Minnesota have also introduced legislation governing the ways companies collect, store, use, and share consumer data and we expect to see other laws emerging in the coming months with still no federal data privacy bill in sight.  

Working with experienced privacy counsel can help build out data privacy programs that stand the test of time and contemplate emerging legislation.   

Below is an overview of the Virginia and Oklahoma proposed bills, their requirements, and their potential impact on the data privacy landscape. 

Virginia Consumer Data Protection Act (SB 1392) 

The Virginia proposal is quickly moving through the Virginia state legislature and is likely to be the next comprehensive state data privacy law on the books. This bill passed the Virginia House of Delegates on January 29th by a wide margin and was unanimously approved in the Senate on February 3rd. Assuming Governor Northam signs it into law, the Virginia Consumer Data Protection Act is set to go into effect on January 1, 2023. 

Who Does It Apply To? 

Companies that conduct business in Virginia or “produce products or services that are targeted to” Virginians would have to comply with the Virginia Consumer Data Protection Act if they: 

  • Control or process the personal data of at least 100,000 Virginians; or 
  • Control or process the personal data of at least 25,000 Virginians and derive over 50% of their gross revenue from the sale of that data. 

The Legislation does provide exemptions for financial institutions governed by the Gramm-Leach-Bliley Act, entities subject to HIPAA or HITECH, non-profits, and educational institutions. 

What Is Included? 

Included in this Bill are several requirements not covered under the CCPA or any other U.S. privacy law. One such obligation requires entities that control personal data to conduct protection assessments of any activities that use personal data for specific purposes, such as targeted advertising. These data protection assessments may be requested and evaluated by the attorney general to ensure compliance. 

This Act would afford Virginia consumers with several rights regarding their personal data, including the right to opt-out of the sale or use of their information for targeted advertising or profiling. It would also allow consumers to delete their data, move their data, correct inaccuracies in their data, and confirm if their data is being processed upon request.  

Notably missing is a private right of action through which consumers could seek damages for alleged violations. Instead, enforcement of the Act would be left exclusively to the attorney general, who may seek up to $7,500 per violation. 

Oklahoma Computer Data Privacy Act (HB 1602) 

Introduced on January 19, 2021 by Representatives Josh West (R) and Collin Walke (D), this Bill has bipartisan support in the Oklahoma House of Representatives. Its intended purpose is to give Oklahomans more online privacy by taking aim at tech companies. If passed, the Oklahoma Computer Data Privacy Act would go into effect on November 1, 2021. 

Who Does It Apply To? 

If passed, this act would apply to companies that operate in the state of Oklahoma and collect Oklahoman’s personal information or have information collected on their behalf, determine the purpose for and means of processing that information, and satisfy one of the following thresholds: 

  • Has an annual gross revenue exceeding $10 million; 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or 
  • Derives 25% or more of their annual revenue from the sale of personal data. 

What Is Included? 

Companies subject to this legislation would be required to disclose what personal information they hold on a consumer and allow for the deletion of that information upon the consumer’s request. This proposal also mandates consumers opt-in to providing their personal data, which differentiates it from most other state privacy laws, like the CCPA. The Oklahoma Computer Data Privacy Act also differs from the CCPA in its inclusion of a broad private right of action through which Oklahoma residents could seek damages up to $7,500 for violations. 

Florida House Bill 969 (HB 969) 

Introduced on February 15th by Representative Fiona McFarland (R), House Bill 969 would place several requirements on businesses that deal with Florida residents’ private information. If passed, it would go into effect on January 1, 2022. 

Who Does It Apply To? 

For-profit companies that do business in Florida and collect personal information about consumers, have personal information collected on their behalf, or determine the process and means of processing personal information will have to comply with this Bill’s requirements if they satisfy one of the following thresholds: 

  • Has an annual gross revenue exceeding $25 million; 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or 
  • Derives 50% or more of their annual revenue from the sale of personal data. 

What Is Included? 

HB 969 would require that applicable businesses notify consumers about their data collection and selling practices before or at the point of data collection. Under this Bill, consumers would also have the right to request their data be disclosed, corrected, or edited and the right to opt-out of having their personal information disclosed or sold to a third party. 

Applicable businesses would be required to implement reasonable security protocols to protect their consumer’s personal data. Also included is a private right of action through which a consumer “whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access” may seek damages for violations of the Bill. The Department of Legal Affairs would be authorized to bring other enforcement actions, up to $2,500 per unintentional violation and $7,500 per intentional violation. 

Potential Impact 

Currently, the data privacy landscape in the United States is a patchwork of enacted and proposed laws, all with their own requirements and consumer rights, creating a confusing web for companies operating in more than one jurisdiction. While advocates of these state privacy laws argue for the protection of consumers’ data in an increasingly digitally-driven world, opponents argue that the potential risk of operating within states who have enacted comprehensive privacy laws may deter businesses from expanding their operations there. 

A federal privacy law that could rectify the many differences between individual state laws would simplify this landscape, making it easier for companies to protect their consumers’ data and operate efficiently while complying with regulations.  

Beckage is closely monitoring these, and other emerging privacy laws. In the meantime, companies that collect personal data should start thinking about privacy compliance by conducting a baseline privacy assessment and starting to develop relevant policies and procedures. Beckage attorneys, who are also technologists and certified privacy professionals, are happy to help counsel your business on compliance with the CCPA, GDPR, and other pending and enacted privacy legislation.  We work with clients of all sizes to build out data privacy programs and address compliance matters.  

Subscribe to our newsletter. 

*Attorney advertising – prior results do not guarantee future outcomes. 

BiometricsBipartisan Group Proposes New York Biometric Policy

Bipartisan Group Proposes New York Biometric Policy


In January of 2021, a bipartisan group of New York State lawmakers proposed a comprehensive policy that places restrictions on the collection of biometric information by companies operating in the state. Assembly Bill 27, the Biometric Privacy Act, would allow for consumers to sue companies that improperly use or retain an individual’s biometric information. New York’s biometric act follows suit behind Illinois’ Biometric Information Privacy Act (BIPA), the first and most robust state law that guards against the unlawful collection and storing of biometric information. Like BIPA, Assembly Bill 27 was created to place regulations on a company’s handling of biometric data, such as fingerprints, voiceprints, retina scans, and scans of the hand and face geometry. Assembly Bill 27, however, does not cover writing samples, written signatures, photographs, or physical descriptions.

What Is Included?

The Biometric Privacy Act requires businesses collecting biometric identifiers or information to develop a written policy establishing a retention schedule and guidelines for permanently destroying the biometric data. The destruction of the data must occur when the initial purpose for collecting the biometric data has been “satisfied,” or within three years of the individual’s last interaction with the company, whichever occurs first. This bill also includes a private right of action that would allow consumers to sue businesses for statutory damages up to $1000 for each negligent violation and $5,000 for each intentional or reckless violation.

Further, AB 27 requires companies to obtain written consent from individuals before collecting, purchasing, or obtaining biometric information and provide notification to those individuals about the specific purpose and length of time the data will collected, stored, and used. Companies are prohibited from selling, leasing, trading, and profiting from biometric information and strict restraints are placed on a business’s ability to disclose biometric information to a third party without consumer consent.

The Impact of Biometrics on Future Legislation

With the increased volume of biometric information being used by companies leveraging biometric-driven timekeeping systems and other technologies, the push for biometric privacy policies that govern the use of these technologies and promotes safeguards for employees is gaining momentum. Several states are also looking to amend their breach notification and security laws to include biometric identifiers. For example, New York State’s SHIELD Act, the breach notification law enacted in 2019, has already been expanded to include biometric data in its definition of private information.

At Beckage, we have a team of highly skilled lawyers that stay up to date on proposed and enacted legislation. With states looking to implement biometric privacy laws similar to BIPA, it is important to have legal tech counsel to address compliance with these emerging laws. Our team can help assist your company in assessing and mitigating risks associated with emerging technologies.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

WashingtonWashington State Legislature Considers Data Privacy Again

Washington State Legislature Considers Data Privacy Again

As 2021 unfolds, so does the data privacy regulatory landscape, with Washington state unveiling the Washington Privacy Act (WPA) (SB 5062). However, this is not the state’s first attempt at comprehensive privacy legislation. January 11, 2021, marked the third time in three years that the state considers comprehensive data privacy law. If passed, the law will take effect on July 31, 2022. It will join Washington’s state biometric law and a growing number of technology-focused privacy laws that frame evolving privacy legislation in the US. While the WPA does not appear to generate the same buzz as the California Consumer Privacy Act (CCPA), it would nonetheless have similar data protection obligations.

Who is covered and why?

In line with comprehensive data frameworks, the definition of personal data is broad. Under the WPA, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” This definition excludes deidentified or publicly available information.

The law would apply to legal entities conducting business in the state or producing products or services targeting Washington residents. Such legal entities must also satisfy one or more of the following:

  • Control or process the personal data of at least 100,000 Washington residents during a calendar year, or
  • Derive over 25% of their gross revenue from the sale of personal data and control personal data of 25,000 or more Washington residents.

What are business obligations concerning consumer privacy rights?

Under the law, companies would be obligated to provide Washington residents with the privacy rights outlined below. The law, however, does not cover individuals in commercial or employment contexts. It only protects the personal data of Washington residents acting in an individual or household context.

Consumer Privacy Rights under WPA:

  • Right of Access;
  • Right of Rectification:
  • Right of Deletion;
  • Right of Portability;
  • Right of Opt-Out;

Business Obligations under WPA:

  • Notice/Transparency Requirements;
  • Risk Assessments;
  • Prohibition on Discrimination for exercising rights;
  • Purpose Limitation;
  • Processing Limitation

WPA is not unlike existing comprehensive privacy laws. Therefore, in addition to fulfilling consumer data privacy requests, WPA imposes staple provisions on business relating to third-party relationships, privacy notices, and data impact assessments. However, the law has a new requirement with specific coverage on technology-assisted contact tracing in light of the pandemic. For instance, Section 302 introduces prohibitions and conditions for the processing and disclosing technology-assisted contact tracing information. As the breadth of privacy laws expands and recognizes the impact of digital technologies, businesses should be prepared to respond to compliance obligations.

The Beckage team is monitoring the development of the WPA and other pending state data privacy laws going through state legislatures right now. Our team of data privacy and technology lawyers is here to assist your company with privacy compliance, develop relevant policies, and other privacy-related matters. A baseline privacy assessment is a great starting place to develop a data management framework that will help guide your business to compliance with future privacy regulations such as the WPA.

Subscribe to our newsletter.

*Attorney advertising – prior results do not guarantee future outcomes.

Data Privacy DayBeckage Attorneys Make 2021 Data Security & Privacy Predictions in Observance of Data Privacy Day

Beckage Attorneys Make 2021 Data Security & Privacy Predictions in Observance of Data Privacy Day

Today is Data Privacy Day – an international event held annually on January 28th with the purpose of promoting privacy and data protection best practices for consumers and businesses. At Beckage, every day is Data Privacy Day – our team of lawyers and technologists works daily with clients on data security and privacy measures, from developing policies and procedures to comply with international and domestic privacy regimes to responding to headline-making data incidents and defending clients in data security and privacy class actions.

The legal landscape surrounding data security and privacy is constantly evolving to adapt to technological advancements and global privacy trends. In observance of this holiday, we asked some of our experienced team members what they expect to see in this space in 2021.


Litigation – Myriah V. Jaworski, Esq. CIPP/US, CIPP/E

My data privacy prediction for 2021 is also related to biometrics. This year we will see the continued rise of regulation over and litigation concerning the use of biometric information.

A few years after the Illinois State Legislature passed BIPA, the Biometric Information Privacy Act, we started to see a slew of class action lawsuits filed against businesses alleged to have violated BIPA’s written release requirement. BIPA class actions have ranged from headline-making cases against major tech companies, such has Facebook, to small and medium-sized businesses across numerous industries.

While biometric lawsuits were once viewed as a risk associated only with doing business in Illinois, other states, like Washington and Texas, have followed suit by passing their own laws mimicking BIPA and others are eyeing their own biometric privacy bills. Of note, a bill nearly identical to BIPA is pending in the New York State legislature, which, if passed, could have a much larger impact on businesses given that New York is one of the largest economies in the United States.

At the federal level, we have recently seen the Federal Trade Commission (FTC) enter the biometric conversation with its consent agreement with EverAlbum, Inc. This consent order may have set a nation-wide standard for businesses’ use and collection of biometric information, regardless of whether those businesses operate in states that have enacted or pending biometric privacy laws.

In short, in 2021 the risks and penalties associated with collecting and using biometric information are steep. Any business, regardless of location, that is engaging in biometric information collection should conduct a privacy audit, look at its written policies, and ensure that it has the requisite consents in mind. As a litigator, I always say “demonstrable compliance is the strongest legal defense,” and that is certainly true in the biometric privacy space.

Watch Myriah’s video prediction here.


Incident Response – Daniel P. Greene, Esq., CIPP/US, CIPP/E

At the heart of what we do as incident response privacy practitioners is data breach prevention.  My 2021 prediction for the privacy landscape is an expansion in the use of multi-factor authentication. This is great news for incident response because, often, multi-factor authentication is an important step in helping to avoid a data incident and protect the privacy of data.

Multi-factor authentication is when a user identifies themself through biometrics, like a facial or fingerprint scan, or though entering a code on a device to confirm access to sensitive spaces, like a bank account or work network. It helps in avoiding unauthorized access and we expect to see this technology used in new spaces in 2021, such as when using an ATM or checking out at a grocery store.

We also anticipate an expansion in the use of biometrics over device authentication. There have been numerous documented incidents where device authentication has backfired. A famous example occurred in 2019 when attackers were able to gain access to Twitter CEO Jeff Dorsey’s account using a SIM card swap scheme. Because biometric identifiers are much more difficult to change or duplicate, using a facial scan or fingerprint is a much more secure method of confirming a user’s identity. And while this brings up a host of other issues about safeguarding biometric information, I think we can expect to see it used a lot more soon.

Watch Dan’s video prediction here.


Government Investigations – Michael L. McCabe, Esq., CCEP

In 2021, I expect to see increased enforcement of privacy and data security laws and regulations at both the federal and state level. Considering new leadership in Washington D.C. and the looming impact of the COVID-19 pandemic, I predict not just an uptick in enforcement, but also a more muscular approach by regulators.  More enforcement actions are expected, a further reminder for companies to work with experienced tech privacy and security legal counsel to minimize legal and technical risk.

At the federal level, look for enhanced enforcement by the Federal Trade Commission (FTC), Federal Communications Commission (FCC), and Securities and Exchange Commission (SEC). On the state level, I anticipate a similar response by state attorneys general outside of Washington.   

In 2020, we saw a major uptick in cyber-attacks, due in part to companies having to quickly adopt policies for a distributed workforce.  There were also numerous COVID-related phishing attempts. These developments have resulted in a record number of data security incidents. Therefore, I expect the focus of these enforcement actions to be not just on privacy compliance, but also on effective data security and incident response.  

Watch Mike’s video prediction here.


Privacy Compliance – Kara L. Hilburger, Esq., CIPP-US

My prediction for the privacy compliance area in 2021 is the increased focus on consumer privacy rights. With California’s comprehensive privacy law, the California Consumer Privacy Act (CCPA), now one year old, there is increase awareness and attention to data subject rights.  With a myriad of other states entertaining statutes similar to the CCPA, I anticipate a host of plaintiff related lawsuits filed under these statutes’ privacy right of action provisions. The result is that business operating in this highly global, multi-jurisdictional environment will need to continue to work towards building out robust and scalable data security and privacy infrastructures that take into account not only the GDPR and CCPA but other emerging laws. For example, updating forward-facing website disclosure policies and user agreements will be paramount here to be sure they comply with the required disclosures.

Relatedly, my second prediction as that we will continue to see an uptick in litigation filed under the Americans with Disabilities Act and frankly no end is in sight.  Businesses are continuing to educate themselves on the legal standards necessary for building and maintaining an accessible website.  We also anticipate much in the way of legislation or increase DOJ involvement in this area under the new administration.

Watch Kara’s video prediction here.


Health Law – Allison K. Prout, Esq., Cert. AWS Cloud Practitioner

With so much of our everyday lives moving online in the wake of the COVID-19 pandemic, we have seen a large uptick in data breaches caused by third-party vendors and service providers. And when it comes to the healthcare industry, I anticipate a continued increase in incidents that originate with business associates and other vendors providing services to covered entities. 

 In fact, about 40% of HIPAA breaches involve or are caused by business associates. With a new administration that’s likely to favor regulatory action, we expect to see regulatory authorities continue to enforce actions against covered entities whose business associates or service providers experience breaches. 

So what does this mean for the industry?  We expect to see covered entities taking a much closer look at who they are working with—and whether those parties have robust security and privacy protocols. For this reason, business associates may need to prepare accordingly. Whether you are a covered entity or a business associate, now is the time to dust off vendor due diligence and monitoring policies and procedures. It’s also a good idea to take a closer look at those service agreements and business associate agreements to make sure your service providers are making the right security commitments—and assuming responsibility—when there’s a breach.

Watch Allie’s video prediction here.


Global Data Privacy – Jordan L. Fischer, Esq. CIPP/US, CIPP/E, CIPM

My first prediction for the global data privacy space in 2021 is the creation and evolution of additional data privacy regulations across the globe. The so-called “GDPR Effect” has been pushing data privacy trends across the globe, and we expect to this to continue as more regions and countries adopt legislation mimicking parts of the GDPR, putting their own unique twist on data privacy, or modernizing their existing data privacy regulations to make them more compatible with the GDPR and other global privacy regimes.

My second prediction is a major emphasis on cross-border data transfers. The 2020 Schrems II decision invalidated the EU-US Privacy Shield for sending data from Europe to the United States. This decision was focused on data transfers between the United States and the European Union, but it also highlights a challenge we are continuing to see in international law – while these privacy regulations see borders, the digital realm does not.  Thus, it is increasingly hard to segment data and maintain it within a specific region. This year, I anticipate a lot of tension between regions that approach privacy and security from various perspectives that don’t always align. This presents a challenge for businesses to continue to operate efficiently while minimizing risk and dealing with multiple global privacy and security regulations.

Regardless of the specific trends we expect to see this year, one thing is certain – the global data privacy landscape will continue to change rapidly, creating a fascinating environment for data privacy and security lawyers to practice in.  I am very excited to be a part of such a dynamic team that will continue to provide services to our clients in this space.

Watch Jordan’s video prediction here.


Key Takeaways

Today, as well as every other day of the year, we hope you take some time to reflect on data privacy and security and the ways you can better protect your personal or business’ private information. The Beckage team is passionate about to educating the masses on the importance of data security, the consumer privacy rights and the impact on businesses, and the steps you can take safeguard your information. We are committed to providing updates on relevant legislation, current threats, and proactive data security steps. Be sure to follow us on LinkedIn, read our blog, and subscribe to our newsletter to stay up to date on the latest in this ever-changing space. Happy Data Privacy Day!

*Attorney advertising – prior results do not guarantee future outcomes.

0
Facial RecognitionFTC & EverAlbum Inc. Settlement Clarifies Privacy Standards for Facial Recognition Technology

FTC & EverAlbum Inc. Settlement Clarifies Privacy Standards for Facial Recognition Technology

One of Beckage’s 2021 privacy predictions is the continued rise of biometric lawsuits and legislation, even outside Illinois’ BIPA. Case in point is a recent consent decree the Federal Trade Commission issued against EverAlbum, a California company, concerning its use of photo-tagging and facial recognition technologies.

The Claims Against EverAlbum Inc.

In its complaint, the FTC alleges that EverAlbum, Inc. violated Section 5 of the Federal Commission Act by making several misrepresentations concerning its App’s use of facial recognition technology (FRT). Specifically, the FTC alleged that:

  • EverAlbum’s facial recognition feature was on by default. InFebruary 2017, EverAlbum launched a new feature in the Ever App, called ‘Friends’ that used facial recognition technology to group users’ photos by the faces of the people who appear in them and allowed users to “tag” people by name. EverAlbum allegedly enabled facial recognition by default for all mobile app users when it launched the ‘Friends’ feature.
  • EverAlbum falsely claimed that users must affirmatively activate FRT. Between July 2018 and April 2019, EverAlbum allegedly represented that it would not apply facial recognition technology to users’ content unless users affirmatively chose to activate the feature. Although, beginning in May 2018, the company allowed some Ever App users—those located in Illinois, Texas, Washington and the European Union—to choose whether to turn on the face recognition feature, it was automatically active for all other users until April 2019 and could not be turned off.
  • EverAlbum used users’ images to create a larger dataset to develop its FRT, and sold FRT services to enterprise clients. Between September 2017 and August 2019, EverAlbum combined millions of facial images that it extracted from users’ photos with facial images that EverAlbum obtained from publicly available datasets to create datasets for use in the development of its facial recognition technology. The complaint alleges that EverAlbum used the facial recognition technology resulting from one of those datasets to provide the Ever App’s “Friends” feature and also to develop the facial recognition services sold to its enterprise customers without disclosing this to users.
  • EverAlbum Failed to delete photos from deactivated accounts. EverAlbum is also alleged to have promised users that the company would delete the photos and videos of users who deactivated their accounts. The FTC alleges, however, that until at least October 2019, EverAlbum failed to delete the photos or videos of any users who had deactivated their accounts and instead retained them indefinitely.

FTC v. EverAlbum Inc. Settlement Agreement

In the consent Agreement, the FTC requires EverAlbum to:

  • Delete Certain User Information: Specifically, within 30-90 days of the agreement, EverAlbum must delete:
    1. The photos and videos of Ever App users who deactivated their accounts
    2. All face embeddings, data reflecting facial features that can be used for facial recognition purposes, the company derived from the photos of users who did not give their express consent to their use.
    3. Any facial recognition models or algorithms developed with EverAlbum users’ photos or videos
  • Make Clear and Conspicuous Disclosures: EverAlbum must clearly and conspicuously disclose to the user from whom the respondent has collected the biometric information, separate and apart from any Privacy Policy, Terms of Use page, or other similar document, all purposes for which respondent will use, and to the extent applicable, share, the biometric information.
  • Obtain Affirmative Express Consent from Users: EverAlbum must obtain affirmative express consent from users whose biometric information is collected.

Potential Application of EverAlbum Settlement

The FTC v. EverAlbum Inc. settlement sets a defacto standard for businesses who are collecting biometric information from consumers in the United States. Companies who use biometric data or facial recognition technology should observe the following takeaways from this settlement:

First, the settlement makes clear that facial recognition technology used on photographs is a regulated biometric practice. This is somewhat unclear under the Illinois BIPA statute, where defendants have argued that photographs are exempt from the law.

Next, as a defacto standard, the FTC is requiring that businesses make clear and conspicuous disclosures regarding their biometric practices. The Agreement defines clear and conspicuous as “not difficult to miss” and easily understandable by ordinary consumers, including in all the following ways:

  • In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication, even if the representation requiring the disclosure (“triggering representation”) is made through only one means.
  • A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
  • An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
  • In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
  • The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.

Third, as a defacto standard, the FTC is requiring businesses that collect biometric information (such as photographs used for FRT) should obtain affirmative express consent from users before doing so. Although undefined in the agreement, in other contexts affirmative express consent may be accomplished through a written release or digital signature (BIPA), through an affirmative opt-in pop up for the specific purpose of making the biometric disclosure and obtaining consent.

Recommended Next Steps

Beckage recommends all companies that collect biometric information, including facial recognition technology, take several proactive steps in the wake of the EverAlbum settlement.

  1. Evaluate your existing privacy policy disclosures to confirm you are in compliance with the EverAlbum requirements and to make requisite clear and conspicuous disclosures regarding the collection of biometric information and use of facial recognition technology/photo-tagging.
  2. Evaluate the use of pop-ups and opt-ins or written releases to obtain affirmative express consent for FRT practices in the United States (note, in IL, a written release is required).
  3. Evaluate default settings and deletion photo and biometric information deletion practices to ensure compliance with the EverAlbum settlement requirements.

Emerging technologies present opportunities for companies to better engage their customers, but also create new data privacy concerns. With some states looking to implement biometric privacy laws mimicking Illinois’ Biometric Information Privacy Act (BIPA), including New York Biometric Privacy Act, (AB27), companies collecting and using biometric technology, like FRT, should consult legal tech counsel to evaluate compliance with these emerging laws. Beckage attorneys, who are also technologists and former tech business owners, have years of collective experience with new technologies, like artificial intelligence, biometric data, facial recognition technology. Our team can help your company implement and mitigate the risks associated with emerging technologies.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

1 2 3 8