Biometrics and the CCPA

The California Consumer Privacy Act (CCPA) is changing how businesses collect and use consumers' personal information. If your business processes biometric information, it's essential that you're aware of your obligations under this law.

The CCPA follows privacy laws such as the EU General Data Protection Regulation (GDPR) and the Illinois Biometric Information Privacy Act (BIPA) in specifically requiring businesses to safeguard biometric information.

In this article, we'll be looking at how the CCPA defines "biometric information," and what requirements the law places on businesses that collect biometric information from consumers.

Is Biometric Information Personal Information Under the CCPA?

The CCPA specifically cites biometric information as a type of personal information. The law identifies 11 categories of personal information (A-K). Biometric information is type "E" (at Section 1798.140(o)(1)(E)):

By explicitly bringing biometric information under the law's ambit, the CCPA leaves no room for ambiguity. Businesses must comply with all the CCPA's obligations in respect of any biometric information they collect, use, store, or share.

The CCPA also excludes biometric information from its definition of "publicly available information" (which does not normally qualify as personal information) (at Section 1798.140(o)(2)).

This means that, for example, if you derive biometric information from publicly available images of an individual, this biometric information is still personal information.

How Does the CCPA Define Biometric Information?

The CCPA's definition of biometric information is very broad. Some people interpret the law as giving a wider definition to biometric information than the GDPR.

Here's the definition of "biometric information," at Section 1798.140 (b) of the CCPA:

Let's break this definition down.

Core Definition

The concept of "biometric information" under the CCPA is:

"an individual's physiological, biological or behavioral characteristics... that can be used, singly or in combination with each other or with other identifying data, to establish individual identity."

The purpose of biometric information is to "establish individual identity," so there is no context in which biometric characteristics can be excluded from this definition.

It's important to note there is no requirement for biometric information to be stored with other identifying information to qualify as "personal information." This distinguishes the CCPA from other U.S. privacy laws, such as the California Online Privacy Protection Act (CalOPPA).

Examples

The CCPA provides many examples of biometric information. Note that the list of examples is not exhaustive, and there may be other types of data that qualify as biometric information.

The CCPA's examples of biometric information are:

1. DNA
2. Iris imagery
3. Retinal imagery
4. Facial recognition data
5. Fingerprint
6. Handprint
7. Palmprint
8. Vein patterns
9. Voice recordings
10. Keystroke patterns or rhythms
11. Gait patterns of rhythms
12. Sleep data
13. Health data
14. Exercise data

The CCPA separates these into two sub-types of biometric data (with DNA as a type of biometric information in itself):

• Types 2-9 are data "from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted."

  • These are the types of biometric information typically collected for use in authentication methods (e.g. to unlock a device or gain access to a room)
  • Such types of data might be collected by phone manufacturers or security software developers (e.g. password managers that use multi-factor authentication)
  • Employers might also collect these types of biometric information in order to implement access controls and register employees' attendance

• Types 10-14 are data that may be biometric information if they "contain identifying information."

  • These types of data might not be collected specifically collected for the purposes of identification or authentication, but can identify an individual.
  • Such types of data might be collected by health-tracking devices or software developed to integrate with these devices.

When Does the CCPA Apply to the Processing of Biometric Information?

The CCPA covers "businesses," meaning any for-profit legal entity doing business in California that:

• Has annual gross revenues of at least $25 million
• Annually buys, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers, households, or devices
• Derives at least 50% of its annual revenues from selling consumers' personal information

The CCPA also covers "service providers": for-profit legal entities of any size that process personal information on behalf of a business.

The CCPA aims to protect the personal information of "consumers" (California residents). This means that any covered business should obey the CCPA's provisions in respect of any biometric information (or other personal information) originating from Californians.

The CCPA will apply to business-to-business communications from January 1, 2021. The law will also apply to how you process your employees' personal information from January 1, 2022. If you use biometric authentication in your workplace, you must prepare for this.

CCPA Requirements for Businesses Processing Biometric Information

Let's look at some of the core CCPA requirements for businesses processing biometric information.

Update Your Privacy Policy

The CCPA requires businesses to present clear information about how they collect and process consumers' personal information, including biometric information.

Among other information, your Privacy Policy should include:

• A list of the categories of personal information you have collected in the past 12 months, including biometric information (category "E"):

  • The categories of sources from which you collected biometric information (e.g. "the fingerprint scanner on your device")
  • The business or commercial purposes for which you collected biometric information (e.g. "we collect this information for security purposes, to authenticate users when they log into our app)
  • The categories of third parties with which you share biometric information (e.g. "we share this information with our cloud storage service provider")
• A disclosure of whether you have sold biometric information over the past 12 months
• A disclosure of whether you have disclosed biometric information for business purposes over the past 12 months

Here's an example from Allergan on how to provide some of this information:

Provide Notice at Collection

When collecting biometric information, or any other type of personal information, you must provide "notice at collection." This is one of the CCPA's four notices.

Your notice at collection must include:

• Your purposes for collection biometric information
• Your business or commercial purposes for collecting biometric information
• A link to your "Do Not Sell My Personal Information Page" (if you have one)
• A link to your Privacy Policy

Rather than providing all this information in your notice, another acceptable approach is to include the above information as a section in your Privacy Policy and then provide a link to that section.

Implement Reasonable Security Safeguards

The CCPA requires businesses to "maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."

The CCPA doesn't explain what constitutes a reasonable level of security. But in the California Data Breach Report of 2016, Kamala Harris (who was the California Attorney General) recommended implementing the 20 Center for Internet Security (CIS) Controls.

Note, however, that the CIS Controls constitute a relatively basic level of information security. This might not be considered appropriately rigorous given the sensitive nature of biometric information.

Therefore, you may wish to consider implementing a more advanced security framework, such as the NIST Cybersecurity Framework or ISO 27001.

Failing to properly secure biometric information leaves you liable to a lawsuit taken under the CCPA's private right of action or a civil penalty imposed by the California Attorney General.

Facilitate CCPA Consumer Rights Requests

An important part of the CCPA is its consumer rights. These apply to biometric information the same way they do to any other types of personal information.

This means that you must be prepared to facilitate all of these consumer rights in respect of any biometric information you have collected about consumers:

• The right to notice: Providing a Privacy Policy and notice at collection whenever collecting biometric information
• The right to know: When requested, confirming whether you have collected biometric information from a consumer, and providing a copy of any biometric information and any associated data
• The right to delete: Erasing any biometric information in your control on request
• The right to opt out: Ensuring you do not sell biometric information if a consumer requests that you do not do so
• The right to opt in (for minors): Ensuring you do not sell the biometric information of a minor aged 13-16 without opt-in consent, or the parental consent of a minor under 13
• The right to non-discrimination: Ensuring you do not discriminate against consumers who exercise their CCPA rights

Consumers may exercise their rights to "know" and "delete" twice per year. You may not charge a fee to carry out a request.

Set Up Service Provider Contracts

Processing biometric data under the CCPA is a somewhat risky activity. You may choose to offset some liability by engaging a service provider to process biometric data on your behalf.

Businesses remain liable for data breaches caused by their service providers. However, you may be able to arrange a contract wherein the service provider indemnifies your business against any losses caused by their negligence or wrongdoing.

Under the CCPA, you must have a service provider contract in place with any third parties to process consumers' personal information on your behalf. This service provider contract must:

• State the purposes for which the service provider may process the personal information it receives from the business
• Prohibit the service provider from using, disclosing, or retaining the personal information for any purpose outside of the contract, unless otherwise permitted by the CCPA

Summary

Processing biometric information is a big responsibility. Getting it wrong puts you at risk of legal action and reputational ruin. This has never been truer than since the CCPA came into force.

All of the CCPA's rules about how to process personal information apply to biometric information. You must ensure that you:

• Update your Privacy Policy to notify consumers about how you collect, share, and sell biometric information
• Provide a valid CCPA notice whenever you collect biometric information
• Implement reasonable security processes to protect the biometric information in your control
• Facilitate consumer rights requests from users in respect of their biometric information
• Ensure you only share biometric information with service providers under a service provider agreement