HB295 Alabama 2020 Session

Summary

Primary Sponsor

Jamie KielRepresentative

Republican

Session

Regular Session 2020

Title

Consumer protection, privacy rights, regulation of use of biometric identifiers for a commercial purpose, civil fine, authorized

Summary

HB295 would ban capturing biometric identifiers for commercial purposes without written consent and set rules for how such data can be stored, used, and destroyed, with civil penalties for violations.

What This Bill Does

Biometric identifiers are defined as retina or iris scans, fingerprints, voiceprints, or hand/face geometry, with voiceprint data held by financial institutions excluded. Businesses cannot capture biometric data for a commercial purpose unless they obtain written consent from the person before capture. Those who hold biometric data must protect it, may not disclose it except in specific cases (such as for identified financial transactions, missing-person situations, legal requirements, or law enforcement with a warrant), and must destroy it within one year after the data’s collection purpose ends, with some exceptions for longer legal retention or employer security needs. Violations can trigger civil penalties of up to $25,000 per incident, and the Attorney General can sue to recover the penalties.

Who It Affects

• Consumers (people whose biometric data could be collected) — protected by consent requirements and data handling rules.
• Businesses and other entities that collect biometric data for commercial purposes — must obtain written consent, secure the data, limit when they disclose it, and follow destruction timelines.
• The Attorney General and individuals with injuries from improper handling — the AG can sue to recover civil penalties up to $25,000 per violation.

Key Provisions

• Defines biometric identifiers as retina/iris scans, fingerprints, voiceprints, or hand/face geometry, with an exclusion for voiceprint data retained by financial institutions.
• Prohibits capturing biometric identifiers for a commercial purpose without the individual's written consent obtained before capture.
• Requires storage, transmission, and protection of biometric data with security measures at least as strong as for other confidential information; restricts sale/disclosure to specified exceptions.
• Allows disclosures for legitimate purposes (identification in emergencies, completing a financial transaction, legal requirements, or law enforcement with a warrant).
• Requires destruction of biometric identifiers within a reasonable time, no later than the first anniversary of the data's collection purpose ending; exceptions apply for longer retention required by law or for employer security purposes after employment ends.
• Imposes civil penalties up to $25,000 per violation; the Attorney General may pursue penalties on behalf of injured parties; takes effect on the first day of the third month after passage and approval.

AI-generated summary using openai/gpt-5-nano on Feb 22, 2026. May contain errors — refer to the official bill text for accuracy.

Subjects

Consumers and Consumer Protection