SB 554 - This act creates the "Biometric Data Privacy Act" which establishes requirements for private entities collecting and in possession of biometric information and a cause of action for violations of the act. Specifically, each private entity shall develop a publicly available written policy that sets out a retention schedule and guidelines for permanently destroying biometric information. Additionally, no private entity shall collect, capture, purchase, receive, or otherwise obtain biometric information unless the person whose biometric information is obtained:
(1) Is informed in writing that biometric information is being collected or stored;
(2) Is informed of the specific purpose and length of time for which biometric information is being collected, stored, or used; and
(3) Gives a written release.
A private entity in possession of biometric information shall not disclose a person's biometric information unless:
(1) The person provides a written release;
(2) The disclosure completes a financial transaction requested or authorized by the person;
(3) The disclosure is required by law; or
(4) The disclosure is required due to a valid warrant or subpoena.
Furthermore, no private entity in possession of biometric information shall sell, lease, or trade a person's biometric information. A private entity storing, transmitting, and protecting from disclosure any biometric information shall use the reasonable standard of care for the private entity's industry and shall keep such information in the same or in more protective manner as other confidential and sensitive information of the entity is kept.
A private entity shall not condition the provision of goods or services on the collection, use, disclosure, transfer, sale, retention, or processing of a biometric identifier unless the identifier is strictly necessary to provide the goods or services. Additionally, a private entity shall not charge different prices or provide a different level of quality to any individual who exercises his or her rights under this act.
Any person aggrieved by a violation of this act shall be entitled to a cause of action in which a prevailing plaintiff shall recover all attorney's fees and costs and may recover for each violation:
(1) Against a private entity that negligently violates this act, either liquidated damages of $1000 or actual damages, whichever is greater;
(2) Against a private entity that intentionally or recklessly violates this act, either liquidated damages of $5000 or actual damages, whichever is greater; and
(3) Any other relief deemed appropriate.
Nothing in this act shall be construed to affect the admission or discovery of biometric information nor shall the act be construed to conflict with provisions of state law regarding maintenance of medical records or with HIPAA. Furthermore, this act shall not be deemed to apply to financial institutions covered by federal law nor to contractors, subcontractors, or agents of a state agency or local government.
This act is substantially similar to HB 407 (2025), HB 500 (2025), HB 1584 (2024), HB 2594 (2024), HB 1047 (2023), HB 1225 (2023), and HB 2716 (2022).
KATIE O'BRIEN