The California Consumer Privacy Act (CCPA)1, officially referenced as AB-375, is a bill passed by Governor Jerry Brown on June 28, 2018 and will be effective on January 1, 2020. Independent of where a business is located, the CCPA applies to a business that collect, share or sell personal information of California residents. These individuals could be consumers and possibly employees or independent contractors.
CCPA will likely impact your organization if you are
- A for-profit business that derives more than 50% of its revenue from selling consumer personal information;
- A for-profit business that collects, buys, shares or receives personal information of more than 50,000 consumers, or
- A for-profit business with $25,000,000 annual gross revenue; however, CCPA currently does not specify whether the $25,000,000 threshold is for worldwide or California only annual gross revenue.
In addition to CCPA, additional Biometric Privacy Laws are available in three states as of November 2019.
- Illinois passed the Biometric Information Privacy Act (“BIPA”) in October 2008
- Texas was the second state to pass the Biometric Privacy Act in 2009
- Washington passed its biometric privacy law in 2017
Washington’s H.B. 1493 includes a “security exception,” exempting those persons that collect, capture, enroll or store biometric identifiers in furtherance of a “security purpose.” Washington and Texas biometric laws do not allow suits by private individuals. Attorney General can enforce the requirements for both states.
Illinois BIPA remains the only law that allows private individuals to file a lawsuit for damages from a violation ($1000 per violation and $5000 per violation if it’s intentional or reckless). The BIPA litigation under the statute began in 2015. As of June 2019, over 200 class action lawsuits have been filed.
Arizona, Florida, and Massachusetts have proposed legislation addressing the issue of biometric privacy as the commercial collection and use of biometric identifiers becomes more commonplace. A federal bill was also introduced in March 2019 that would prohibit certain orgranizations from using facial recognition data and technology without first obtaining user consent.
CCPA – Personal Information
According to California CCPA1, “Personal Information” means defines personal information as information that can be used to identify a person. The definition of personal information in the CCPA includes eleven (11) categories, which can be summarized as:
- Identifiers include –
- Real name,
- Postal address,
- Unique personal identifier,
- Online identifier,
- Internet Protocol address,
- Email address,
- Account name,
- Social security number,
- Driver’s license number,
- Passport number, or
- Other similar identifiers.
- Selected Information in Customer Records:
- Social security number,
- Physical characteristics or description,
- Telephone number,
- Passport number,
- Driver’s license or state identification card number,
- Insurance policy number,
- Employment history,
- Bank account number,
- Credit card number,
- Debit card number,
- Financial information,
- Medical information,
- Health insurance information.
- Legally Protected Characteristics
- Commercial Purchasing Information
- Biometric Information. CCPA’s definition of biometric information is much broader.
- Applies to an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.
- Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
- Internet or Network Activity Information, including but not limited to.
- Browsing history,
- Search history, and c. Information regarding a consumer’s interaction with an Internet Web site.
- Geolocation. Many businesses collect geolocation information from California employees to know their precise locations and how fast a person drives.
- Information Typically Detected by the Senses
- Olfactory, or
- Similar information.
- Professional or employment-related Information
- Education Information, including information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences from Above Used to Profile
Biometric Information for IL, TX, and WA
According to Illinois BIPA2, “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and “Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. This definition excludes other data points such as photographs, demographic data, and writing samples.
The Washington Biometric Identifier3 defines “Biometric identifier” as “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.”
Notice and Consent
- Illinois BIPA requires employers to obtain a “written release.” Regardless of your headquarter, as long as your employees are in Illinois, you must obtain these employees’ releases in writing.
- Texas3 and Washington4 do not specify that consent must be given in writing.
Want to stay ahead of the CCPA and biometric regulations? Implement a proactive stategy for data privacy and have your employees’ consent for use of their personal information in writing on file.
- Develop a written policy that is made available to employees addressing how your business will collect, use, distribute, and destroy biometric data. This policy must include a retention guideline and guidelines for permanently destroying unused BIPA protected data.
- Under BIPA, a private entity must destroy biometric identifiers and information once the purpose for which they were collected has been fulfilled or within 3 years of the individual’s “last interaction” with the employer or entity (1 Sec 15 (a));
- Texas3 requires the biometric identifiers be destroyed no later than the first anniversary of the date of the purpose for collecting the identifier expires.
- Provide written notice to all impacted employees that biometric identifiers or information are being collected and stored as well as the specific purpose and time period during which the identifiers or information will be collected, stored and used. Manage your risk by clearly inform and notify your employees and customers on how you handle their biometric data, including and not limited to:
- How long to keep their biometric data?
- When and how will the biometric data be destroyed?
- Will the biometric data be shared or processed by a third-party vendor or partners?
- How will the biometric data be handled if the business is sold, closed, or enters bankruptcy?
- Encrypt the biometric data at rest and in transit.
- Limit access to the biometric data.
- Obtain written consent or a release, including a signature from all employees whose biometric identifiers or information will be collected, stored, and used.
- Follow your written policies.
- Consider the business’ general commerical liability insurance coverage to make sure it adequately covers for BIPA risks.
Consult a biometric compliance expert and your labor attorney to protect your business.
- California Consumer Privacy Act (CCPA) – AB-375
- Illinois Biometric Information Privacy Act
- Texas Business & Commerce Code – BUS & COM 503.001 Capture or Use of Biometric Identifier
- Washington Biometric Identifiers House Bill 1493
- Five Things to Know About Biometrics in the Workplace (California) – Labor Code section 1051 prohibits employers from sharing this information with a third party.
- BIPA Update: Class Actions on the Rise in Illinois Courts. Up to 213 BIPA cases have been filed in 2018 and 2019 in Illinois as of June 2016