New Biometric Data Privacy Legislation in the State of VA

VA H.B. 2307 is a comprehensive healthcare biometric data privacy law that was recently enacted in 2021. As the state of Virginia has implemented a robust legal framework as it concerns data protection and personal privacy in recent years, best exemplified by the enactment of the Virginia Consumer Data Protection Act (VCDPA) in 2021. To this point, VA H.B. 2307 provides legal protection for citizens of the state as it pertains to the collection, use, and disclosure of biometric data in relation to healthcare services. Furthermore, the also sets forth the punishments that healthcare providers and organizations stand to face should they fail to uphold the biometric privacy rights of Virginia residents.

How is biometric data defined under the law?

VA H.B. 2307 defines biometric data to mean “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. “Biometric data” does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.” Conversely, the law defines personal data to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.”

What are the duties of data controllers under the law?

The responsibilities that data controllers and processors have under VA H.B. 2307 with respect to safeguarding the biometric and healthcare information of residents within the state include but are not limited to:

• Data controllers are required to limit the collection of personal data to what is adequate, relevant, and reasonably necessary to provide consumers with the services they have requested.
• Data controllers are prohibited from disclosing the personal data of consumers for any purpose that is incompatible with the purpose for which it was collected, unless a consumer consents to such disclosure.
• Data controllers are required to develop and implement security measures and safeguards that can be used to ensure that the biometric and personal information of consumers is protected at all times.
• Data controllers are required to process all personal or biometric data in accordance with other applicable legislation at both the state and federal levels. Moreover, data controllers are also prohibited from discriminating against consumers in any way when collecting data from them.
• Data controllers may only collect and process the sensitive personal data of consumers, such as the biometric data that is used to identify a natural person, with the consent of said consumers.

What are the rights of consumers under the law?

The rights that consumers within the state of Virginia have under H.B. 2307 include:

• The right to confirm whether or not their personal information is being processed, as well as the right to access this information at their own discretion.
• The right to correct inaccuracies within any data elements regarding them that have been submitted to a controller for data processing.
• The right to request that any personal data concerning them be deleted.
• The right to obtain a copy of their personal data.
• The right to opt-out of the processing of their personal data for the purpose of targeted marketing, the sale of their data, or any other data profiling decisions.

Alternatively, as it pertains to the enforcement of the law, the provisions of VA H.B. 2307 are enforced by the state attorney general. To this end, the Virginia state attorney general has the authority to impose a wide range of penalties and sanctions against individuals and entities within the state that fail to comply with the law. Most notably, organizations that are found to be in violation of the law are subject to a monetary fine of up to $7,500 for each violation. What’s more, the attorney general also retains the right to recover reasonable expenses incurred during the course of a particular case as it relates to non-compliance with the law.

As of 2022, the state of Virginia has arguably the most strict and rigid data protection and personal privacy landscape in the country. While the vast majority of U.S. states have yet to even pass the most basic forms of personal information protection legislation, the Virginia Consumer Data Protection Act and H.B. 2307 protect the personal data of consumers within the state in a number of ways. Through the rights afforded to consumers within Virginia under these laws, said consumers have a number of means and methods available to them should they feel as though their privacy has been infringed upon.