Skip to Content

Nebraska Unicameral Considers Privacy Rights in Biometrics

on Friday, 23 February 2024 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

In connection with the national trend of states focusing on data privacy, this session the Nebraska Unicameral is considering a privacy bill regarding biometric information in LB 954.  The Biometric Autonomy Law grants individuals ownership of and broad control over their biometric data collected and possessed by entities.

The Law broadly defines biometric data to include a retina or iris scan, fingerprint, voice print, scan of hand or face geometry, DNA biometrics, brain wave biometrics, heart biometrics, pulmonary biometrics, reproductive biometrics, or other biometrics.  While this definition is expansive, the Law expressly excludes the following from constituting biometric data:

  • Writing sample, written signature, photograph, human biological sample used for valid scientific testing or screening, demographic data, tattoo description, or physical description such as height, weight, hair color, or eye color
  • Biometrics or information regarding any (i) anatomical gift, part, or tissue as such terms are defined in the Revised Uniform Anatomical Gift Act or (ii) blood or serum stored on behalf of any recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency.

Additionally, while the law does not exempt information subject to HIPAA outright, the Law expressly provides that it should not be construed to conflict with HIPAA. 

The Law gives individuals ownership of their biometric data and the right to sell such data, while simultaneously restricting the ability of entities to handle and process biometric data.  In particular, entities that collect or possess biometric data must take the following actions:

  • Obtain consent before or at the time of collection of the biometric information while informing the individual of the purpose and duration of collection.
  • Develop and publish a written policy that establishes the company’s retention schedule, where biometric information must be deleted at the earlier of (i) the purpose for which the biometric information was collected is expired; (ii) within 3 months of the last interaction with the entity; or (iii) expiration of the individual’s written consent.
  • Comply with requests of individuals to transfer their biometric information within 5 calendar days.

Moreover, the Law provides an outright prohibition on an entity selling, leasing, trading, or directly profiling from biometric data.  Enforcement of the Law is through the Attorney General under Nebraska’s Consumer Protection Act.

Overall, the broad definition of biometric data has the propensity to impact many business, such as companies that provide wearable health devices, security features tied to facial features or finger prints, and entities that genomic operations. The consent and deletion elements, along with the outright prohibition on profiting from biometric data has the potential for significant impact on these businesses.

LB954 is scheduled for hearing on February 27, and we will continue to monitor for updates.

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500