National Biometric Information Privacy Act of 2020
This bill requires a private entity that obtains an individual's biometric identifier or biometric information to take specified actions to maintain and ensure the privacy and security of such biometric data.
Specifically, a private entity in possession of biometric data must develop a written policy establishing a retention schedule and guidelines for destroying such data on the earlier of (1) the date on which the initial purpose for collecting the data has been satisfied, or (2) one year after an individual's last intentional interaction with the entity.
A private entity may not obtain an individual's biometric data unless (1) the entity requires the data to provide a service or for a valid business purpose, and (2) the entity informs the individual in writing of the collection and its purpose and receives a written release. Further, a private entity in possession of such data may not sell, lease, or otherwise profit from the data. A private entity must store, transmit, and protect from disclosure all biometric data in its possession in a manner that is the same as, or more protective than, the manner in which the entity treats other confidential and sensitive information. Upon request, the entity must disclose to an individual such data relating to the individual collected during the preceding 12 months.
Further, the bill establishes a private right of action for any individual aggrieved by a violation of the bill's provisions.