The SHIELD Act lists examples of policies and practices that constitute reasonable administrative, technical and physical safeguards.The types of security incidents that trigger notification obligations also differ across the states.

Most important, organizations that have or anticipate having employees or consumers in the states listed above … Texas law also limits the sale or disclosure of an individual’s biometric identifiers except under limited circumstances. Some of the differences that are worth noting are highlighted in this this blog post.One variation is in the breadth of the definition of “biometric information.” The California Consumer Privacy Act (CCPA) defines it as data about an “individual’s physiological, biological or behavioral characteristics, including DNA, that can be used . & Com. The facial scan that launched a thousand laws: biometric privacy legislation trend continues to grow nationwide Washington's law is similar to both the archetypal law in Illinois and the later law in Texas in the way it regulates collecting, using, and retaining data. While some of the provisions in these laws are similar, other features vary from state to state. How to Comply with Biometrics Laws

Texas has also codified the law to capture and use biometric identifiers (Tex. The Oregon Act sets a timeframe that is more vague, requiring biometric data to be disposed of once the business no longer needs that information for business purposes or as required by law.While calls for a federal data privacy law continue, the focus on the protection of biometric data increases. Bus. section 503.001(b) (2009), or the Capture or Use of Biometric Identifier Act (CUBI): ... and procedures could be far less costly than reacting after the fact to litigation spawned from one of the many biometric privacy laws on the horizon. OEMs face a patchwork of state biometric data privacy laws that may apply to data collected and used by new automotive technologies. Bus. . Code Ann. Texas law requires companies to use “reasonable care” to protect biometric identifiers from disclosure, and to store, transmit and secure that data in the same manner that they store, transmit, and protect other confidential information they possess, or in a more protective manner. Although still in their nascent stages, both bills are following California’s lead in creating enhanced and stringent privacy protections for individual consumers. For example, the Arizona Data Security Breaches law defines a “security incident” as an event that creates “reasonable suspicion” that a company’s information systems or computerized data may have been compromised or that measures put in place to protect those systems or data may have failed.

Washington . Illinois does offer this remedy but Texas does not. Texas law requires companies to use “reasonable care” to protect biometric identifiers from disclosure, and to store, transmit and secure that data in the same manner that they store, transmit, and protect other confidential information they possess, or in a more protective manner. By contrast, the Arizona Data Security Breaches law, makes no reference to encryption, defining “personal information” simply as an individual’s first name or first initial and last name in combination with biometric data.Some biometrics laws, including BIPA and the Texas Capture or Use of Biometric Identifier Act (Texas Act), require companies to obtain consent to collect biometric data from individuals. to establish individual identity.” This includes “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.” The Illinois Biometric Information Privacy Act (BIPA) has a narrower definition of the term, defining “biometric information” as information, “based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, that is used to identify an individual.”Another example is the definition of “personal information.” The Oregon Consumer Information Protection Act (Oregon Act) focuses on encryption, and defines “personal information” as (1) a consumer’s first name or first initial and last name in combination with biometric data, if encryption, redaction or other methods have not rendered the biometric data unusable or if the biometric data is encrypted and the encryption key has been acquired, or (2) biometric data without the consumer’s user name, or the consumer’s first name or first initial and last name, if encryption, redaction or other methods have not rendered the biometric data unusable and the biometric data would enable a person to commit identity theft against a consumer. However, current biometric privacy laws show that a broad approach to regulating this technology in the name of privacy may have unintended consequences and could remove beneficial uses of the technology as well. Current state biometric privacy laws have prevented residents from accessing the benefits of certain technologies available in other states.

The Oregon Act uses a different standard for what constitutes a security breach, defining it as an unauthorized acquisition of computerized data that “materially compromises” the security, confidentiality or integrity of personal information that a company maintains or possesses.Finally, while the majority of the laws discussed in the infographic mandate the disposal and destruction of biometric data, they set different deadlines.