New Biometric Data Privacy Legislation in the State of VA

New Biometric Data Privacy Legislation in the State of VA

VA H.B. 2307 is a comprehensive healthcare biometric data privacy law that was recently enacted in 2021. As the state of Virginia has implemented a robust legal framework as it concerns data protection and personal privacy in recent years, best exemplified by the enactment of the Virginia Consumer Data Protection Act (VCDPA) in 2021. To this point, VA H.B. 2307 provides legal protection for citizens of the state as it pertains to the collection, use, and disclosure of biometric data in relation to healthcare services. Furthermore, the also sets forth the punishments that healthcare providers and organizations stand to face should they fail to uphold the biometric privacy rights of Virginia residents.

How is biometric data defined under the law?

VA H.B. 2307 defines biometric data to mean “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. “Biometric data” does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.” Conversely, the law defines personal data to mean “any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified data or publicly available information.”

What are the duties of data controllers under the law?

The responsibilities that data controllers and processors have under VA H.B. 2307 with respect to safeguarding the biometric and healthcare information of residents within the state include but are not limited to:

What are the rights of consumers under the law?

The rights that consumers within the state of Virginia have under H.B. 2307 include:

Alternatively, as it pertains to the enforcement of the law, the provisions of VA H.B. 2307 are enforced by the state attorney general. To this end, the Virginia state attorney general has the authority to impose a wide range of penalties and sanctions against individuals and entities within the state that fail to comply with the law. Most notably, organizations that are found to be in violation of the law are subject to a monetary fine of up to $7,500 for each violation. What’s more, the attorney general also retains the right to recover reasonable expenses incurred during the course of a particular case as it relates to non-compliance with the law.

As of 2022, the state of Virginia has arguably the most strict and rigid data protection and personal privacy landscape in the country. While the vast majority of U.S. states have yet to even pass the most basic forms of personal information protection legislation, the Virginia Consumer Data Protection Act and H.B. 2307 protect the personal data of consumers within the state in a number of ways. Through the rights afforded to consumers within Virginia under these laws, said consumers have a number of means and methods available to them should they feel as though their privacy has been infringed upon.

Related Reads