How the New California Privacy Law (CCPA) Handles Facial Recognition

 
The Facebook – Cambridge Analytica scandal may be the privacy story of the year as it opened the eyes of many to the issue of third-party data sharing, but there have been undercurrents of other issues that might develop in the future. One of those has been the growing adoption of facial recognition. Both businesses and consumers should be following how privacy laws are handling facial recognition, so we thought that we would start by examining the California Consumer Privacy Act of 2018 (CCPA).

 

 
Here is a quick look at some of the facial recognition issues that have come to the forefront this year:

Amazon sold its facial recognition tool, Rekognition, to law enforcement in Orlando and Oregon for only a few dollars a month. After the ACLU made this information public, a coalition of civil rights groups asked Amazon to stop selling it to the police. Orlando has since ended its pilot program with the technology.

Schools are increasingly considering facial recognition to address security concerns. School shootings have elevated security risks at schools and their leadership is looking for technological solutions to the problem.

Microsoft’s president and chief legal officer, Brad Smith, called for federal regulation of facial recognition technology. Microsoft was criticized for a contract with the U.S. Immigration and Customs Enforcement (ICE) after people thought (wrongly) that ICE was using Microsoft’s facial recognition. It is not often that an entity like Microsoft calls for government regulation of its products.

Texas, Illinois and Washington already have laws that prohibit the use of facial recognition technology to identify people without their informed consent. However, the Illinois law, Biometric Information Privacy Act, is currently before the Illinois Supreme Court on the question of whether a person may sue after their biometric information is collected when they have experienced no other injury. The Electronic Frontier Foundation has said that narrowly interpreting the enforcement scheme for BIPA in this manner would “defang” the law.

 
 GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW …

 
How does the New California Privacy Law Handle Facial Recognition?

The California Consumer Privacy Act includes biometric information within the definition of personal information. Biometric information is defined as:

“an individual’s physiological, biological or behavioral characteristics … that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina … [and] face …, from which an identifier template such as a faceprint … can be extracted ….”

 
Which Businesses Using Facial Recognition Must Comply with the CCPA?

The law has three thresholds for businesses. If the business has annual gross revenue of over $25 million or annually receives the personal information of 50,000 or more consumers, than the company must comply with the law. If a company is collecting the personal information of more than 137 people a day, which most facial recognition systems would likely do, then they must comply with the law.

 
What do Businesses Using Facial Recognition Need to Know about the Law?

Because the new law includes biometric information within the definition of personal information, businesses that are covered by the law will need to inform consumers if they are collecting biometric information, be prepared to provide that information to consumers if they exercise a right to access request, and delete that information if a consumer requests it.

If they are selling personal information to third-parties gained from the facial recognition technology, they will also need to scrub the information for children under 16 years of age before it is sold. The alternative is to capture opt-in consent from the children if between 13 and 16, and from a parent or guardian if under the age of 13.

Businesses that are selling biometric information will also need to provide a mechanism for adults (anyone 16 years of age or older) to opt out of the sale of their personal information. The law requires businesses with websites to place a link titled Do Not Sell My Personal Information on the homepage and in their privacy policy. When an individual clicks on this link, they must be taken to a form that permits them to opt out of the sale of their personal information.

Businesses will also need to explain the rights of consumers to them and fulfill a few other requirements of the law.

 

 
What Else Do Businesses Need to Understand?

The law goes into effect on January 1, 2020. Between passage at the end of June 2018 and the effective date, there is likely to be at least one amendment to the law and clarifying interpretations issued by the California Attorney General, so be sure to keep an eye out for these changes and explanations.

Momentum has been building for federal legislation for privacy, and since there has been a number of calls for federal regulation of facial recognition technology, it is entirely possible that it will fall within the scope of any privacy law that comes out of Congress.