ID Scanning Laws Updates – Q2 2022
Summary of Q2 2022 Legislation Relating to ID Scanning or Identity Verification
The 2022 legislative sessions have ended in all but a handful of states. Many bills relating to point-of-sale data collection have continued through the process, with several being signed into law.
A Maryland bill that would require a business that maintains personal information of an individual residing in Maryland to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information maintained was signed by the Governor. The bill is effective as of October 1, 2022.
In New York, a bill that would require the use of biometric identity verification devices was committed to the Rules Committee. The bill would authorize an agent or employee to determine a person’s age when purchasing beverages or tobacco products by use of a biometric identity verification device.
On May 10, 2022, Connecticut became the fifth state to enact the Consumer Data Privacy Act. The Act establishes a framework for controlling and processing personal data responsibilities and privacy protection standards for data controllers and processors. Additionally, it grants consumers the right to access, correct, delete, and obtain a copy of personal data. The Act will go into effect July 1, 2023, giving companies doing business in Connecticut less than two years to comply.
Catalog of Legislative Initiatives Relating to ID Scanning or Identity Verification By State
Overview of relevant bills and statutes proposed and/or passed between April 1, 2022 and June 30, 2022.
| STATE | BILL NO. | SUMMARY | STATUS |
|---|---|---|---|
| Alabama | H 318 | Relating to commerce, online marketplaces, certain disclosures required to be made by certain high-volume third-party sellers, consumer protections provided | Forwarded to Governor, 04/07/2022 |
| Arizona | H 2790 | Relates to personal data and consumer rights. | Introduced, 06/23/2022 |
| Connecticut | S 6 | Establishes a framework for controlling and processing personal data responsibilities and privacy protection standards for data controllers and processors. Grant consumers the right to access, correct, delete, and obtain a copy of personal data, and opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers. | Signed by Governor, 05/10/2022Effective July 1, 2023 |
| Georgia | S 332 | Relating to selling and other trade practices, to provide for certain disclosures by third-party high-volume sellers of consumer products on online marketplaces. | Signed by Governor, 05/04/2022Effective 01/01/2023 |
| Hawaii | H 1570 | Would ban the sale of flavored tobacco products and mislabeled e-liquid products. | Notice of Intent to Veto, 06/27/2022 |
| Hawaii | S 2032 | Would establish the Hawaii Genetic Information Privacy Act. Requires direct-to-consumer genetic testing companies to adhere to certain requirements pertaining to the collection, use, and disclosure of genetic data. Deems any violation as an unfair or deceptive trade practice subject to associated penalties. | Notice of Intent to Veto, 06/27/2022 |
| Illinois | S 3782 | Would amend the Biometric Privacy Information Act. Allows a private entity to collect, capture, or otherwise obtain a person’s biometric identifier or biometric information without satisfying other specified requirements if they meet certain conditions. | Changed Chief Sponsor, 04/30/2022 |
| Illinois | S 3939 | Would modify the exemptions from inspection and copying public records concerning cybersecurity vulnerabilities. | Approved by the Governor, 05/06/2022Effective 05/06/2022 |
| Kansas | H 2340 | Would increase the minimum age to 21 to purchase or possess cigarettes and tobacco products. | Died in Senate Committee, 05/23/2022 |
| Kansas | H 2433 | Would protect consumers and prevent online retail crime by requiring online marketplaces to verify and authenticate the identity of third parties who sell products on their platforms. | Died in Committee, 05/23/2022 |
| Kansas | H 2731 | Would require online marketplaces to obtain certain information from, and to require the disclosure of certain information by, third parties that sell products on their platforms. | Died on Calendar, 05/23/2022 |
| Louisiana | S 305 | Would provide for the disclosure of certain information on websites and online services. | Signed by the Governor, 06/03/2022Effective 08/01/2022 |
| Massachusetts | H 375 | Relative to the protection of personal identity. | Accompanied a Study Order, 06/30/2022 |
| Maryland | H 962 | Would require a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information maintained. and altering certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach. | Enacted, 05/29/2022Effective 10/01/2022 |
| Maryland | S 643 | Would require a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned, maintained, or licensed; and altering certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach. | Enacted, 05/29/2022Effective 10/01/2022 |
| New Hampshire | S 311 | Relates to access to drivers’ license information for legitimate business purposes. Would allow the scanning, recording, and retaining or storing of information obtained from any driver’s license or nondriver’s identification card provided that such practice was expressly disclosed to the holder. | Inexpedient to Legislate, 05/04/2022 |
| New York | S 1817 | Would relate to the use of biometric identity verification devices for the purchase of alcoholic beverages and tobacco products; authorizes a licensee, its agent or employee to determine a person’s age when purchasing alcoholic beverages or tobacco products by use of a biometric identity verification device; establishes where the use of the device indicates that the person is under the age of twenty-one, the attempted purchase of the alcoholic beverage shall be denied. | Committed to Senate Rules Committee, 06/03/2022 |
| New York | S 3586 | Would establish the “It’s Your Data Act” for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information. | Referred to Cities, 05/25/2022 |
| New York | S 06701 | Would enact the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared. | Amended and Recommitted to Internet and Technology, 05/31/2022 |
| Pennsylvania | S 1291 | Would provide for genetic information privacy and setting penalties for violations. | Referred to Consumer Protection and Professional Licensure, 06/16/2022 |
| Pennsylvania | H 1594 | Would require online marketplaces to inform consumers regarding the collection, verification, and disclosure of information. | Approved by the Governor, 07/11/2022Effective 01/01/2023 |
| Pennsylvania | S 895 | Would require online marketplaces to inform consumers regarding the collection, verification, and disclosure of information. | Removed from Table, 06/20/2022 |
| Virginia | H 381 | Provides that a controller that has obtained personal data about a consumer from a third party shall be deemed in compliance with a consumer’s request to delete such data if the controller either (i) retains a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer’s personal data remains deleted and does not use such retained data for any other purpose or (ii) opts the consumer out of the processing of that data for any purpose except those purposes exempted pursuant to the Consumer Data Protection Act.Amends Va. Code § 59.1-577. | Signed by Governor, 04/11/2022Effective June 1, 2022 |
| Virginia | S 393 | Would provide for the requirements that a controller that has obtained personal data about a consumer from a third party must meet to be deemed in compliance with a consumer’s request to delete such data. | Senate Sustained Governor’s Veto, 04/27/2022 |
| US | H 8152 | Would provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. | Ordered to be Reported, 07/20/2022 |
Federal Legislative Initiatives Relating to ID Scanning or Identity Verification
H.R.8152 – American Data Privacy and Protection Act
This bill establishes requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual.
Specifically, the bill requires most companies to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service and to other specified circumstances. It also generally prohibits companies from transferring individuals’ personal data without their affirmative express consent.
The bill establishes consumer data protections, including the right to access, correct, and delete personal data. Prior to engaging in targeted advertising, the bill requires companies to provide individuals with a means to opt out of such advertising. The bill also provides additional protections with respect to personal data of individuals under the age of 17. It further prohibits companies from using personal data to discriminate based on specified protected characteristics.
Additionally, companies must implement security practices to protect and secure personal data against unauthorized access, and the Federal Trade Commission (FTC) may issue regulations for complying with this requirement.
The bill provides for enforcement of these requirements by the FTC and state attorneys general. Beginning four years after the bill’s enactment, individuals may, subject to certain notification requirements, bring civil actions for violations of the bill.
Finally, the bill preempts state laws that are covered by the provisions of the bill except for certain categories of state laws and specified laws in Illinois and California.
