Currently, there is no comprehensive Missouri privacy law in effect. However, the state has introduced an important biometric privacy bill this year.
Biometric Privacy Acts
Since the start of the 2023 legislative session, at least 15 biometric privacy law proposals have emerged across 11 states, and Missouri is one of them. Broadly speaking, these bills were introduced to impose new requirements on companies’ collection, handling, protection, use, and dissemination of biometric information. These bills have the potential to greatly increase the compliance risk and liability exposure of companies that handle biometric information and are therefore worth tracking closely.
Currently, a jumble of legal frameworks controls the gathering and use of biometric data. As an illustration, some newly established comprehensive state privacy regulations treat biometric data as a type of “sensitive” data. To be specific, Colorado’s 2022 law restricts the use of facial recognition technology by state and local government agencies. In the meantime, several states and municipalities have chosen to limit the use of specific forms of biometric data in more restricted use cases.
The model statute in the biometric privacy landscape, is by no doubt, Illinois’s Biometric Information Privacy Act (BIPA). Though Washington and Texas have their own state biometric privacy laws in place, Illinois’s BIPA is the only such law that is enforceable through a private right of action.
Missouri introduced a “Biometric Information Privacy Act in March 2023. The bill is pending.
Key Features of the Missouri Biometric Privacy Act
- The bill establishes the “Biometric Information Privacy Act”. Any private entity in possession of biometric identifiers or information, as defined in the bill, must have a written and publicly available schedule and clear guidelines for permanently destroying biometric identifiers and information when the original purpose for collecting or obtaining them has been satisfied, or within three years of the individual’s last interaction with the private entity.
- Without first notifying the subject in writing of the information being collected and the reason for collection, and without first receiving the subject’s written consent authorizing the collection, no private entity may collect, purchase, receive, or otherwise obtain the subject’s biometric identifier or information. No private entity may sell, lease, trade, or otherwise profit from an individual’s identifier or information if it has access to biometric identifiers or information.
- The Health Insurance Portability and Accountability Act requires that any organization or person subject to its requirements treat biometric identifiers and information as individually identifiable health information.
- No private entity may disclose or distribute a person’s biometric identifier or information unless they have the person’s consent.
- Any private organization in possession of biometric identifiers or information must securely preserve it in compliance with the bill’s rules.
- Any person who feels wronged by a violation of this bill’s provisions has the right to sue in court. The winning party will be given full reimbursement for all legal fees and costs, including expert witness fees and other court costs. For each infraction, the prevailing party may seek compensation from a private party:
- If the private entity was found negligently in violation, liquidated damages of $1,000 or actual damages, whichever is greater;
- (If the private entity was found intentionally or recklessly in violation, liquidated damages of $5,000 or actual damages, whichever is greater; and
- Other relief, including an injunction, as the court may deem appropriate.
Centraleyes is committed to bringing you the latest updates in state privacy laws. As stated above there is not Missouri data privacy law or Missouri privacy act in the legislative proceeds yet. Stay tuned!
