Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
The state of California does not have any law that focuses specifically on the use or protection of biometric data.
Instead, California's state legislature passed the California Consumer Privacy Act of 2018 (CCPA), which defines biometric data as a type of personal information that makes identifying an individual possible.
The CCPA covers numerous types of entities that collect and use the biometric data of California residents.
It also places obligations on businesses, whether physically located in California or not, to safeguard California-based consumers' private, personal information. The law went into effect on January 1, 2020.
Let's take a look at how it affects the use of biometric data in the state of California.
The definition of biometric information according to the CCPA is the following:
(b) "Biometric information" means an individual's physiological, biological or behavioral characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.
Examples of biometric data covered by the CCPA include but are not limited to:
It is important to note that the definition of biometric data is explicitly excluded from the definition of publicly available data if it is collected without the consumer's knowledge and consent.
For example, if a company takes biometric data about how a consumer walks from video footage without the consumer's consent, it isn't public data. Under the CCPA, that information is considered private, personal information.
The definition of a business under the CCPA is the following:
(c) "Business" means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
Businesses that must meet obligations under the CCPA are those that:
Legislators in California intended to exclude small businesses that don't sell data from the CCPA's requirements. However, it's still possible for some small companies that collect personal information to surpass the threshold of 50,000 consumers.
For instance, tech startups could easily reach that number if they gather biometric data through facial recognition or machine learning.
Additionally, the CCPA also covers for-profit legal entities that process personal data for other businesses. Section 1798.140 of the bill provides the specific definition of these service providers:
(v) FAQs "Service provider" means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
In other words, while service providers are forbidden from retaining, using, or disclosing personal data, both businesses and service providers must abide by the CCPA's rules for processing it.
This includes the processing of biometric information.
There are general requirements that all businesses must comply with when it comes to personal information under the CCPA. These rules apply to biometric data as well.
However, there are some specific considerations that businesses need to take into account when it comes to compliance and biometric data. Below, we'll go over both.
Businesses must provide consumers with plain, unambiguous information on how they acquire and process personal data, which includes biometric data.
Here's an example of how Wells Fargo provides this information in its California Consumer Privacy Act Notice:
When collecting personal information, including biometric data, you must provide "notice at collection."
This means at the point of data collection, you need to provide consumers a visible notice that contains information on or that provides:
When collecting biometric information, or any other type of personal data, you must provide "notice at collection." This is one of the CCPA's four notices.
The CCPA demands that businesses "maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."
Since the CCPA does not go into detail on what constitutes "reasonable security procedures," businesses might be able to mitigate risk under the law by incorporating security measures that California's Attorney General has already endorsed.
For example, California's Office of the Attorney General put out a Data Breach Report in 2016. That report listed security practices, which the Attorney General at the time saw as "reasonable."
The report emphasized a set of controls called the "CIS Controls" (also known as the CIS 20), which was published by the Center for Internet Security as a "universal baseline" for information security programs.
However, although many view the CIS Controls as a good starting point for security, there are significant gaps. For example, what about conducting due diligence of third-party partners? The security of your business is only as strong as that of its strongest vendor.
In other words, businesses will need to go above and beyond California's Attorney General's recommendations if they wish to stay ahead of potential liability when it comes to data security.
Remember that your business could be left open to a civil penalty imposed by the state's Attorney General or a lawsuit taken under the CCPA's private right of action if you neglect to secure biometric data properly.
Ensuring consumer rights is what the CCPA is all about. These rights extend to biometric data just as they do to all other forms of personal information.
This means that your business must respect the rights of consumers when it comes to the biometric data you've collected from them.
These rights include:
You must not charge any fees to carry out consumer requests in connection with their rights under the CCPA. Additionally, consumers may exercise their rights to "know" and "delete" twice every year.
Businesses need to be aware that the CCPA doesn't just protect consumers. It also protects applicants and employees. The CCPA demands that employers adhere to rules concerning the collection, storage, and use of biometric data in relation to their employees.
The CCPA requires that private businesses provide their employees with notice and gain voluntary consent before collecting biometric data. It's important to keep in mind that the CCPA places no restrictions on law enforcement when it comes to collecting biometric data.
This may be rectified in amendments to the CCPA as critics believe that the potential misuse and abuse of biometric data by the government far outweigh any threats from private businesses.
The CCPA ensures consumers, job applicants, and employees' rights with respect to the collection, use, storage, security, and deletion of their biometric data.
Remember that if your business fails to facilitate the rights of the categories of individuals mentioned above, you leave yourself open to legal action. Moreover, your reputation could be ruined.
In order to mitigate your risk, ensure that you:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022