Biometric Identifiable Information (BII) is generally defined as any physiological or biological characteristic that is used by or on behalf of a commercial establishment to identify an individual. Businesses use BII for various purposes including time cards, security, access to buildings or technology, or even for biometric marketing. BII may take the form of a retina scan, a fingerprint, a voiceprint, a scan of hand or face geometry, or any other identifying characteristic. BII is a more secure, reliable, and convenient form of identification—as opposed to passwords or account information—as you cannot forget or share your biometric identifiers. With the added convenience comes added risk, however, because your BII cannot be replaced or changed if stolen. The increased use of BII has predictably led to state regulation to protect consumers’ and employees’ biometric data.

Across the United States, legislatures are passing new biometric privacy laws with potentially onerous fines, making businesses who collect biometric information, and the insurance companies that sell policies to those companies, understandably nervous. These laws have varying impact depending on whether or not they create a private cause of action, how much the fines are per violation, and other provisions, such as the presence of a notice period and opportunity to cure.