Credit reporting agencies are a type of data broker under the law, and must follow specific requirements. These include a standard written notice to consumers and rules related to the placing of security freezes on a consumer’s credit report.
Personal information controlled by the law includes not just sensitive information like biometric data, but also contact information and several types of demographic information. Brokers are required to register annually with the Secretary of State. As part of the annual registration, brokers need to give information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.
PUTTING IT INTO PRACTICE: This law is a reminder that more and more, legislators are drafting laws with specifics about data protection requirements and privacy and security programs. Here, for companies that are in the business of sharing information that they have not collected directly from consumers, this law is an important one to review.
Biometric Breakdown Part IV – Protecting
Posted on April 27, 2018
In continuing our series on biometrics, we conclude with an analysis of protection requirements and risks. Illinois, Texas, and Washington—the three states which have thus far implemented specific biometric privacy laws—each require companies to reasonably protect biometric data in their possession. Illinois and Texas have further specified that the data must be protected to the same degree as other confidential and secret information. All three states require that the data be destroyed within a fixed amount of time.
Even states lacking specific biometric privacy statutes have expanded their data breach notification laws to include breaches of biometric data, requiring notification to affected individuals. Those states include Delaware, Illinois, Iowa, Maryland, Nebraska, New Mexico, North Carolina, Wisconsin, and Wyoming. In Delaware, Iowa, Maryland, Nebraska, New Mexico, and North Carolina, companies must also notify government authorities.
Click here to read the introduction to our series, here to read about collection, and here to read about sharing. PUTTING IT INTO PRACTICE: As breach notice laws continue to evolve, companies should assess the protection
measures they have in place to protect biometric information. Biometric Breakdown Part III – Sharing
Posted on April 26, 2018
We’ve looked in our series to what companies should do when collecting biometric information, and now we turn to issues around sharing biometric information. The three states which have thus far enacted specific biometric privacy legislation—Illinois, Texas, and Washington—each place restrictions upon the sharing of biometric information. Illinois has imposed a blanket prohibition upon the sale of biometric information. The information may be shared if needed to complete a financial transaction authorized by the individual, if required by law, or, if the individual provides consent, for any other purpose.
The Texas law allows both sale and sharing of biometric data if needed to complete a financial transaction authorized by the individual, if required by law, or, if the individual provides advance consent, for the specific purpose of identification in case of death or disappearance. Washington’s law is the most liberal. It allows sharing and sale for any purpose if the individual consents. Absent consent, the information may still be shared or sold in a variety of
                     7 Eye on Privacy 2018 Year in Review