Regulation of Biometric Data under the California Consumer Privacy Act

The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) includes biometric information as one of the categories of personal information protected by the law.  As a result, all of the rights provided to California consumers to protect their personal information apply to biometrics. This includes the right to know the personal information, delete it, or to opt out of its sale. Although the CCPA Regulations prohibit disclosure in response to a request to know consumer’s actual “unique biometric data,” businesses must still inform consumers that they have collected this particular type of information.

Under the CCPA, biometric information is very broadly defined as “an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.”  Cal. Civ. Code § 1798.140(b).

As part of this definition, the CCPA provides several examples of biometric information protected by the law.  It includes an imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template (such as faceprint, a minutiae template, or a voiceprint) can be extracted, keystroke patterns, gait patterns, as well as sleep, health, or exercise data that contain identifying information.

Biometric information is specifically excluded from the definition of “publicly available information” (which, in turn, is outside the scope of “personal information under the CCPA) so long as it is collected by the business without the consumer’s knowledge.  For example, images captured by a hidden public facial recognition camera system would not be considered “public information.”

Furthermore, the CCPA requires businesses to implement and maintain reasonable security procedures and practices to protect personal information. Failure to do so which results in unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted “unique biometric data” can subject companies to a lawsuit, including a class action. The statutory damage in such action can range between $100 and $750 per consumer per incident.  Cal. Civ. Code § 1798.150.  Notably, this provision applies not only to biometric data of customers but also to employee data, even though employee data is exempt from most of the other CCPA requirements.

The California Privacy Rights Act 2020 initiative, which will be on the state’s November 2020 ballot, includes biometrics into the “sensitive” data category, and would require businesses to provide transparent disclosures about biometric data they process and will subject businesses to heightened restrictions on its use.

Would you like to know more about regulation of biometric information? Check out Clarip’s whitepaper What Your Company Needs to Know About Regulation of Biometric Data and follow our daily Privacy Blog!