A bill pending before the South Carolina legislature would place limits on employers’ and businesses’ ability to collect and use biometric information from employees and customers. The law incorporates parts of similar laws in effect in Illinois and other states, but it has significant limits on the extent to which such businesses can be held liable.

Biometric information includes things such as fingerprints collected from a time clock entry system or facial recognition data used to access electronic communications systems. The South Carolina Biometric Data Privacy Act would require businesses to obtain written consent before such information is collected. The business would be required to maintain the security of such information and notify people when the information is collected. The bill contains a private right of action, with penalties of at least $1,000 for each negligent violation and at least $10,000 for each knowing violation.

The South Carolina bill resembles new data protection laws in other states in that it provides affected people with the right to have their biometric data deleted and elect not to have such information sold by the collecting entity. For employers, this law would require employee education and consent before any such information is collected or used as part of their electronic systems. As more states consider and adopt similar legislation, employers should consider the impact of such laws on their information systems.