Understanding definitions for “data broker” and sensitive personal data will help companies determine if they’re subject to FTC compliance under its new data broker law, Wiley attorneys said Wednesday.
Biometric Privacy
Biometric privacy laws regulate how companies handle sensitive personal identifiers like facial scans, fingerprints and voiceprints. In the U.S., Illinois’ BIPA has led to landmark litigation and multimillion-dollar settlements, setting a precedent for consent, data retention and security standards. Other states and countries are following suit with their own biometric requirements. This page covers key lawsuits, regulatory action and compliance best practices in the biometrics space.
Colorado's proposed draft amendment on kids' privacy in a rulemaking for implementing changes to the Colorado Privacy Act reflect the ongoing trend of states expanding privacy protections for their constituents beyond federal law, said Morgan Lewis lawyers in a blog post Tuesday.
Canada’s Privacy Commissioner on Monday issued guidance for private and public sector entities handling biometric data.
States show growing interest in privacy laws covering neural and neurotechnology data, Future of Privacy Forum (FPF) said Tuesday. Four states have enacted laws so far: Montana, California, Connecticut, and Colorado.
The New Zealand Office of the Privacy Commissioner Wednesday issued a biometric processing privacy code that attempts to balance responsible use of biometrics but also restricts intrusive forms of biometric technologies, such as those used to predict people's emotions to infer information like ethnicity or sex.
The U.S. Supreme Court's June decision that upheld a Texas law requiring age verification for access to porn sites (see 2506270041) could have wide implications for future legislation at the federal and state levels, said privacy lawyers.
Home Depot's AI-powered system that manages inventory and mitigates theft at self-checkout stations violates the Illinois Biometric Information Privacy Act (BIPA), said a class-action lawsuit filed Friday. Called Computer Vision, the system uses cameras and machine learning to perform facial recognition and collect customer facial geometry, lead plaintiff Benjamin Jankowski alleged in case 25-09144.
So far in 2025, state lawmakers and regulators have focused on data related to health, children, geolocation and biometrics, said Sidley privacy attorneys Colleen Theresa Brown, Sheri Porath Rockwell and Sasha Hondagneu-Messner in a blog post Thursday.
New Jersey’s Office of Consumer Protection delayed until Sept. 2 the deadline to submit comments on draft rules for implementing the New Jersey Data Privacy Act (NJDPA), according to the office’s website. The comments were previously due Aug. 1.
Minnesota's comprehensive privacy law that took effect Thursday uniquely requires companies to allow consumers to question their automated decisions. The law also includes uncommon requirements about material changes to privacy polices and giving lists of third parties to consumers. While companies will also for the first time face requirements such as having to conduct data inventories and appoint chief privacy officers, many of the law's stipulations are already best practices, privacy lawyers told us.