CCPA: Biometric Information & Facial Recognition Under the CA Privacy Law
The California Consumer Privacy Act (CCPA) treats biometric information (including facial recognition data) the same as all other personal information. It applies when the biometric data makes possible the identification of a person and the company is a covered business under the new California privacy law, which will go into effect at the beginning of 2020.
Processing of biometric data is a hot topic in privacy law right now. Between controversy over the appropriate development of facial recognition technology and the more than 200 consumer lawsuits brought over suspected violations of the Illinois Biometric Information Privacy Act, there is a lot of attention in this area. Organizations that are collecting, using and sharing biometric data need to be implementing privacy platforms to enhance the protections and controls they offer consumers.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW …
The CCPA defines biometric information as one of the categories of personal information protected by the law. As a result, all of the rights provided to California consumers to protect their personal information. This includes the right to access the personal information, delete it, and take it with them (data portability, a component of the right to access). California residents also have the right to tell businesses not to sell their personal information as part of the right to opt out. Finally, if an organization does not implement a reasonable security program to protect that data and suffers a breach, they can be subject to a class action under the private right of action with statutory damages of between $100 and $750 per consumer per incident.
What is considered biometric information under the CCPA?
Biometric information means “an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.”
As part of the definition, the CCPA provides several examples of biometric information protected by the law. It includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted (faceprint, a minutiae template, voiceprint), and keystroke patterns, gait patterns, and sleep, health, or exercise data that contain identifying information.
Biometric information is also specifically excluded from the definition of publicly available so long as it is collected by the business without the consumer’s knowledge, so it does not matter if an individual is walking in public when that information is gathered by a company – without notice, it is still considered personal information.
What businesses are covered?
The law applies to businesses which have over $25 million in annual revenue, collect personal information on 50,000 people or devices, or receive more than 50% of their annual revenue from the sale of personal information. Although the law’s design was to create an exclusion for small businesses that are not selling data, many small businesses could be collecting personal information on enough daily users that they would fall within the amount. Particularly if a company is gathering biometric data for something like machine learning in facial recognition, a newer startup could easily reach that number quickly.
We are also closely following the Washington privacy bill because of its potential protections for biometric information and the special section governing facial recognition technology.
The proposed Washington state bill considers biometric data for the purpose of uniquely identifying a natural person as sensitive data similar to personal data revealing racial or ethnic origin. As organizations conduct privacy risk assessments, required under the proposed bill, the extent to which the personal data is sensitive data is one aspect to be considered in the calculation of whether the potential risks outweigh the other interests. If the risks outweigh the interests in the processing, then the organization must collect the consent of the consumer to process the data.
Regulation of facial recognition, which typically uses biometric information, is covered in Section 14 of the proposed bill. It would require consent from consumers before deploying facial recognition services and meaningful human review of any profiling. Processors would also need to prohibit unlawful discrimination under federal or state law against individual consumers or groups.