Deleting DataThis series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.

Last week’s post was a whirlwind history tour of U.S. data privacy law, honing in on the privacy principles of data minimization and storage limitation.  The punchline was that unlike most foreign data privacy regimes, and with but few exceptions, U.S. data privacy laws have focused primarily on notice and consent and have avoided requiring businesses (1) to manage data under a retention schedule and (2) to dispose of personal data once no longer necessary for legal compliance or business need.

This began to change in state laws focused on a small niche of privacy – biometric data privacy.  Data security for biometric data is becoming a staple of state-level breach notification statutes (to date, in 17 states and the District of Columbia) and in some states’ laws that affirmatively require reasonable data security programs for protected personal information.  But state-level data privacy laws for biometric data have been more of an outlier.

Illinois’ Biometric Information Privacy Act (BIPA) became effective in 2008.  BIPA has been blogged about endlessly, largely because, after a bit of a sleepy start, its provisions allowing private-party class actions for statutory damages (thereby bypassing the standing impediment vexing many privacy and data security claimants) thrust BIPA to center stage in headline-grabbing litigation.

Our focus here is on a particular provision in BIPA:

A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

 740 ILL. COMP. STAT. 14/15(a)(emphasis added).  In other words, BIPA-covered businesses (1) must maintain and must comply with a publicly available, written data retention schedule for specified biometric data, and (2) under that retention schedule, must dispose of the biometric data when the initial collection purpose has been satisfied (and in any event within three years of their last interaction with the individual).  BIPA thus included elements of data privacy not yet seen in other U.S. data privacy laws at that time, except under COPPA – requiring a retention schedule in which retention of biometric data is tied to the purpose(s) for collecting it (data minimization, with a dose of Transparency for the publicly availability of the retention schedule), and requiring that the biometric data be disposed of after no longer necessary (storage limitation).

Texas followed suit in 2009 with the Texas Biometric Privacy Act, which requires businesses possessing an individual’s biometric identifier for a commercial purpose to destroy such data within a reasonable time period, not exceeding one year after the purpose of collection expires.  TEX. BUS. & COM. CODE ANN. § 503.001(c)(3).  Here again we have data minimization (tying the retention of biometric data to its collection purpose(s), which as a practical matter requires a retention schedule), and an explicit storage limitation (requiring that the biometric data be disposed of within a year after the collection purpose(s) are met).

Under Washington’s 2017 biometric privacy law, biometric identifiers must be disposed of once no longer reasonably necessary to comply with legal requirements, to protect against specified exposures, or to provide the services for which the data was enrolled.  WASH. REV. CODE § 19.375.020(4)(b).  Once again, we have data minimization and an explicit storage limitation – the business as a practical matter must manage biometric data under a retention schedule, and it has a legal duty to dispose of the data once no longer necessary.

The California Consumer Privacy Act (CCPA), effective January 1, 2020, and the California Privacy Rights Act (CPRA), generally effective January 1, 2023, each include biometric data in their scope of protected personal information, and the CPRA imposes data minimization and storage limitation requirements – more on CCPA/CPRA later in this series.

And to borrow from Churchill, this may not even be the end of the beginning.  Proposed biometric data privacy laws are  percolating in other state legislatures across the country.  For example, both New York State Assembly Bill A27 and Maryland Senate Bill 16, each tracking BIPA’s language on this point, would require that covered businesses (1) maintain and comply with a publicly available, written data retention schedule for specified biometric data, and (2) under that retention schedule, dispose of the biometric data when the initial collection purpose has been satisfied (and in any event within three years of their last interaction with the individual).  Massachusetts Bill SD.269 provides the same, except disposal would be required to occur in any event within one year of the last interaction.

Thus, following BIPA’s lead, a growing number of states are applying data retention schedule and data disposal requirements to businesses, at least in the narrow space of biometric data privacy.  Which begs the question, what if these retention schedule and disposal requirements spread to more comprehensive state data privacy laws?  We can begin to see what that looks like in the CCPA/CPRA.  See you next time.