The state of California does not have any law that focuses specifically on the use or protection of biometric data.

Instead, California's state legislature passed the California Consumer Privacy Act of 2018 (CCPA) as amended by the CPRA, which defines biometric data as a type of personal information that makes identifying an individual possible.

The CCPA (CPRA) covers numerous types of entities that collect and use the biometric data of California residents.

It also places obligations on businesses, whether physically located in California or not, to safeguard California-based consumers' private, personal information. The law went into effect on January 1, 2020, with the CPRA's amendments taking effect on January 1, 2023.

Let's take a look at how it affects the use of biometric data in the state of California.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is Biometric Data Under the CCPA (CPRA)?

The definition of biometric information according to the CCPA is the following:

(b) "Biometric information" means an individual's physiological, biological or behavioral characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.

Examples of biometric data covered by the CCPA (CPRA) include but are not limited to:

  • The imagery of the iris
  • Retina
  • Fingerprints
  • Face
  • Hand
  • Palm
  • Vein patterns
  • Voice recordings
  • Any information where someone can extract data through an identifier template, minutiae template, voice print, or face print
  • Keystroke patterns or rhythms
  • Gait patterns or rhythms
  • Sleep, health, or exercise data that contain identifying information

It is important to note that the definition of biometric data is explicitly excluded from the definition of publicly available data if it is collected without the consumer's knowledge and consent.

For example, if a company takes biometric data about how a consumer walks from video footage without the consumer's consent, it isn't public data. Under the CCPA (CPRA), that information is considered private, personal information.

What Businesses Must Comply With the CCPA (CPRA)?

What Businesses Must Comply With the CCPA?

The definition of a business under the CCPA (CPRA) is the following:

(c) "Business" means:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

Businesses that must meet obligations under the CCPA (CPRA) are those that:

  • Have annual gross revenues above twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185
  • Alone or in combination, annually buy, receive for the business's commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers, households, or devices, or
  • Derive 50 percent or more of its annual revenues from selling or sharing consumers' personal information

Legislators in California intended to exclude small businesses that don't sell data from the CCPA/CPRA's requirements. However, it's still possible for some small companies that collect personal information to surpass the threshold of 100,000 consumers.

For instance, tech startups could easily reach that number if they gather biometric data through facial recognition or machine learning.

Additionally, the CCPA (CPRA) also covers for-profit legal entities that process personal data for other businesses. Section 1798.140 of the bill provides the specific definition of these service providers:

(v) FAQs "Service provider" means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

In other words, while service providers are forbidden from retaining, using, or disclosing personal data, both businesses and service providers must abide by the CCPA/CPRA's rules for processing it.

This includes the processing of biometric information.

Obligations Under the CCPA (CPRA)

Obligations Under the CCPA

There are general requirements that all businesses must comply with when it comes to personal information under the CCPA (CPRA). These rules apply to biometric data as well.

However, there are some specific considerations that businesses need to take into account when it comes to compliance and biometric data. Below, we'll go over both.

General Obligations

Businesses must provide consumers with plain, unambiguous information on how they acquire and process personal data, which includes biometric data.

A business should include this information in its Privacy Policy.

For example:

  • You must list the categories of information you've collected over the past year, including biometric data
  • You must state the categories of sources wherein you collected biometric data (i.e. "a retinal scanner")
  • You must provide information on the commercial or business purposes for which you collected personal data
  • You must list the categories of third parties with which you share biometric data (i.e., "we share personal data with service providers who act on our behalf")
  • You must disclose whether you have sold biometric data within the past year
  • You must disclose whether you have divulged biometric data for business purposes within the past year

Here's an example of how Wells Fargo provides this information in its California Consumer Privacy Act Notice:

Wells Fargo CCPA Notice: Categories of Third Parties and Our Disclosures of Personal Data clause - Chart with Biometrics section highlighted

Provide Notice

When collecting personal information, including biometric data, you must provide "notice at collection."

This means at the point of data collection, you need to provide consumers a visible notice that contains information on or that provides:

  • The purpose for which you are collecting biometric data
  • The commercial or business purposes for collecting biometric data
  • How long you retain the biometric data
  • A link to your Privacy Policy
  • A link to your "Do Not Sell My Personal Information" page

Here's an example of how such a notice can look, and can be included anywhere on your site where relevant, such as where users submit biometric data to you:

Generic biometric notice at collection

When collecting biometric information, or any other type of personal data, you must provide "notice at collection." This is one of the CCPA/CPRA's four notices.

An alternative to putting all this information on a "notice at collection" is to include all of the information listed above in a section in your Privacy Policy. You can then simply link to that section on your notice.

Put Reasonable Safeguards in Place

The CCPA (CPRA) demands that businesses "maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."

Since the CCPA (CPRA) does not go into detail on what constitutes "reasonable security procedures," businesses might be able to mitigate risk under the law by incorporating security measures that California's Attorney General has already endorsed.

For example, California's Office of the Attorney General put out a Data Breach Report in 2016. That report listed security practices, which the Attorney General at the time saw as "reasonable."

The report emphasized a set of controls called the "CIS Controls" (also known as the CIS 20), which was published by the Center for Internet Security as a "universal baseline" for information security programs.

However, although many view the CIS Controls as a good starting point for security, there are significant gaps. For example, what about conducting due diligence of third-party partners? The security of your business is only as strong as that of its strongest vendor.

In other words, businesses will need to go above and beyond California's Attorney General's recommendations if they wish to stay ahead of potential liability when it comes to data security.

You should disclose in your Privacy Policy that you have security procedures in place:

Generic biometric security clause

Remember that your business could be left open to a civil penalty imposed by the state's Attorney General or a lawsuit taken under the CCPA/CPRA's private right of action if you neglect to secure biometric data properly.

Expedite CCPA (CPRA) Consumer Rights Requests

Ensuring consumer rights is what the CCPA (CPRA) is all about. These rights extend to biometric data just as they do to all other forms of personal information.

This means that your business must respect the rights of consumers when it comes to the biometric data you've collected from them.

These rights include:

  • The right to notice: Your business must provide a notice at collection whenever you collect biometric data. You must also provide a Privacy Policy.
  • The right to know: Consumers have the right to know what kind of personal information you're collecting (including biometric data), why you are collecting it, how you plan to use it, how you will secure it, how long you will keep it, how they can correct or delete it, and how they can obtain copies of it.
  • The right to delete: You must delete a consumer's biometric data upon that consumer's request.
  • The right to opt-out: You must not sell a consumer's information if a consumer makes such a request.
  • The right to opt-in (for minors): You must not sell the biometric data of those aged 13-16 without prior consent. Additionally, you must not sell the data of those under the age of 13 without parental consent
  • The right to non-discrimination: You must not discriminate against consumer's who choose to exercise their rights under the CCPA (CPRA)

Let users know what rights they have and how to execute them by including this as a clause in your Privacy Policy:

Gahlia Lahav Privacy Policy: User Rights clause excerpt

You must not charge any fees to carry out consumer requests in connection with their rights under the CCPA (CPRA). Additionally, consumers may exercise their rights to "know" and "delete" twice every year.

Biometrics and Employee Issues in California

Biometrics and Employee Issues in California

Businesses need to be aware that the CCPA (CPRA) doesn't just protect consumers. It also protects applicants and employees. The CCPA (CPRA) demands that employers adhere to rules concerning the collection, storage, and use of biometric data in relation to their employees.

The CCPA (CPRA) requires that private businesses provide their employees with notice and gain voluntary consent before collecting biometric data. It's important to keep in mind that the CCPA (CPRA) places no restrictions on law enforcement when it comes to collecting biometric data.

This may be rectified in amendments to the CCPA (CPRA) as critics believe that the potential misuse and abuse of biometric data by the government far outweigh any threats from private businesses.

Summary

The CCPA (CPRA) ensures consumers, job applicants, and employees' rights with respect to the collection, use, storage, security, and deletion of their biometric data.

Remember that if your business fails to facilitate the rights of the categories of individuals mentioned above, you leave yourself open to legal action. Moreover, your reputation could be ruined.

In order to mitigate your risk, ensure that you:

  • Update your Privacy Policy to include information on how you collect, share, and sell personal information, including biometric data
  • Provide notice at collection
  • Put strict security protocols into place to ensure the protection of all biometric data under your control
  • Comply with consumer rights requests in a swift and efficient manner
  • Make sure that any biometric data shared with service providers is done so through a service provider agreement

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy