09 November 2020
The California Consumer Privacy Act (CCPA) is changing how businesses collect and use consumers' personal information. If your business processes biometric information, it's essential that you're aware of your obligations under this law.
The CCPA follows privacy laws such as the EU General Data Protection Regulation (GDPR) and the Illinois Biometric Information Privacy Act (BIPA) in specifically requiring businesses to safeguard biometric information.
In this article, we'll be looking at how the CCPA defines "biometric information," and what requirements the law places on businesses that collect biometric information from consumers.
The CCPA specifically cites biometric information as a type of personal information. The law identifies 11 categories of personal information (A-K). Biometric information is type "E" (at Section 1798.140(o)(1)(E)):
By explicitly bringing biometric information under the law's ambit, the CCPA leaves no room for ambiguity. Businesses must comply with all the CCPA's obligations in respect of any biometric information they collect, use, store, or share.
The CCPA also excludes biometric information from its definition of "publicly available information" (which does not normally qualify as personal information) (at Section 1798.140(o)(2)).
This means that, for example, if you derive biometric information from publicly available images of an individual, this biometric information is still personal information.
The CCPA's definition of biometric information is very broad. Some people interpret the law as giving a wider definition to biometric information than the GDPR.
Here's the definition of "biometric information," at Section 1798.140 (b) of the CCPA:
Let's break this definition down.
The concept of "biometric information" under the CCPA is:
"an individual's physiological, biological or behavioral characteristics... that can be used, singly or in combination with each other or with other identifying data, to establish individual identity."
The purpose of biometric information is to "establish individual identity," so there is no context in which biometric characteristics can be excluded from this definition.
It's important to note there is no requirement for biometric information to be stored with other identifying information to qualify as "personal information." This distinguishes the CCPA from other U.S. privacy laws, such as the California Online Privacy Protection Act (CalOPPA).
The CCPA provides many examples of biometric information. Note that the list of examples is not exhaustive, and there may be other types of data that qualify as biometric information.
The CCPA's examples of biometric information are:
The CCPA separates these into two sub-types of biometric data (with DNA as a type of biometric information in itself):
Types 2-9 are data "from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted."
Types 10-14 are data that may be biometric information if they "contain identifying information."
The CCPA covers "businesses," meaning any for-profit legal entity doing business in California that:
The CCPA also covers "service providers": for-profit legal entities of any size that process personal information on behalf of a business.
The CCPA aims to protect the personal information of "consumers" (California residents). This means that any covered business should obey the CCPA's provisions in respect of any biometric information (or other personal information) originating from Californians.
The CCPA will apply to business-to-business communications from January 1, 2021. The law will also apply to how you process your employees' personal information from January 1, 2022. If you use biometric authentication in your workplace, you must prepare for this.
Let's look at some of the core CCPA requirements for businesses processing biometric information.
The CCPA requires businesses to present clear information about how they collect and process consumers' personal information, including biometric information.
A list of the categories of personal information you have collected in the past 12 months, including biometric information (category "E"):
Here's an example from Allergan on how to provide some of this information:
When collecting biometric information, or any other type of personal information, you must provide "notice at collection." This is one of the CCPA's four notices.
Your notice at collection must include:
The CCPA requires businesses to "maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."
The CCPA doesn't explain what constitutes a reasonable level of security. But in the California Data Breach Report of 2016, Kamala Harris (who was the California Attorney General) recommended implementing the 20 Center for Internet Security (CIS) Controls.
Note, however, that the CIS Controls constitute a relatively basic level of information security. This might not be considered appropriately rigorous given the sensitive nature of biometric information.
An important part of the CCPA is its consumer rights. These apply to biometric information the same way they do to any other types of personal information.
This means that you must be prepared to facilitate all of these consumer rights in respect of any biometric information you have collected about consumers:
Consumers may exercise their rights to "know" and "delete" twice per year. You may not charge a fee to carry out a request.
Processing biometric data under the CCPA is a somewhat risky activity. You may choose to offset some liability by engaging a service provider to process biometric data on your behalf.
Businesses remain liable for data breaches caused by their service providers. However, you may be able to arrange a contract wherein the service provider indemnifies your business against any losses caused by their negligence or wrongdoing.
Under the CCPA, you must have a service provider contract in place with any third parties to process consumers' personal information on your behalf. This service provider contract must:
Processing biometric information is a big responsibility. Getting it wrong puts you at risk of legal action and reputational ruin. This has never been truer than since the CCPA came into force.
All of the CCPA's rules about how to process personal information apply to biometric information. You must ensure that you:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.