This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
Last week’s post was a whirlwind history tour of U.S. data privacy law, honing in on the privacy principles of data minimization and storage limitation. The punchline was that unlike most foreign data privacy regimes, and with but few exceptions, U.S. data privacy laws have focused primarily on notice and consent and have avoided requiring businesses (1) to manage data under a retention schedule and (2) to dispose of personal data once no longer necessary for legal compliance or business need.
This began to change in state laws focused on a small niche of privacy – biometric data privacy. Data security for biometric data is becoming a staple of state-level breach notification statutes (to date, in 17 states and the District of Columbia) and in some states’ laws that affirmatively require reasonable data security programs for protected personal information. But state-level data privacy laws for biometric data have been more of an outlier.
Illinois’ Biometric Information Privacy Act (BIPA) became effective in 2008. BIPA has been blogged about endlessly, largely because, after a bit of a sleepy start, its provisions allowing private-party class actions for statutory damages (thereby bypassing the standing impediment vexing many privacy and data security claimants) thrust BIPA to center stage in headline-grabbing litigation.
Our focus here is on a particular provision in BIPA:
Continue Reading Less data is more than ever: state biometric data privacy laws