California Consumer Privacy Act (CCPA) and
Biometric Compliance Laws in Illinois, Texas and Washington
The California Consumer Privacy Act (CCPA)1, officially
referenced as AB-375, is a bill passed by Governor Jerry Brown on
June 28, 2018 and will be effective on January 1, 2020. Independent
of where a business is located, the CCPA applies to a business that collect,
share or sell personal information of California residents. These individuals
could be consumers and possibly employees or independent contractors.
CCPA will likely impact your organization if you are
- A for-profit business that derives more than 50% of its revenue from
selling consumer personal information;
- A for-profit business that collects, buys, shares or receives personal
information of more than 50,000 consumers, or
- A for-profit business with $25,000,000 annual gross revenue; however,
CCPA currently does not specify whether the $25,000,000 threshold is
for worldwide or California only annual gross revenue.
In addition to CCPA, additional Biometric Privacy Laws are available in three
states as of November 2019.
- Illinois passed the Biometric Information Privacy Act (“BIPA”)
in October 2008
- Texas was the second state to pass the Biometric Privacy Act
- Washington passed its biometric privacy law in 2017
Washington’s H.B. 1493 includes a “security exception,” exempting those persons
that collect, capture, enroll or store biometric identifiers in furtherance of
a “security purpose.” Washington and Texas biometric laws do not allow suits by
private individuals. Attorney General can enforce the requirements for both
Illinois BIPA remains the only law that allows
private individuals to file a lawsuit for damages from a violation
($1000 per violation and $5000 per violation if it’s intentional or reckless).
The BIPA litigation under the statute began in 2015. As of June 2019, over 200
class action lawsuits have been filed.
Arizona, Florida, and Massachusetts have proposed legislation addressing the issue
of biometric privacy as the commercial collection and use of biometric identifiers
becomes more commonplace. A federal bill was also introduced in March 2019 that
would prohibit certain orgranizations from using facial recognition data and
technology without first obtaining user consent.
CCPA – Personal Information
According to California CCPA1, “Personal Information” means defines
personal information as information that can be used to identify a person.
The definition of personal information in the CCPA includes eleven (11)
categories, which can be summarized as:
- Identifiers include –
- Real name,
- Postal address,
- Unique personal identifier,
- Online identifier,
- Internet Protocol address,
- Email address,
- Account name,
- Social security number,
- Driver’s license number,
- Passport number, or
- Other similar identifiers.
- Selected Information in Customer Records:
- Social security number,
- Physical characteristics or description,
- Telephone number,
- Passport number,
- Driver’s license or state identification card number,
- Insurance policy number,
- Employment history,
- Bank account number,
- Credit card number,
- Debit card number,
- Financial information,
- Medical information,
- Health insurance information.
- Legally Protected Characteristics
- Commercial Purchasing Information
- Biometric Information.
CCPA’s definition of
biometric information is much broader.
- Applies to an individual’s physiological, biological or
behavioral characteristics, including an individual’s
deoxyribonucleic acid (DNA), that can be used, singly or
in combination with each other or with other identifying
data, to establish individual identity.
- Biometric information includes, but is not limited to, imagery
of the iris, retina, fingerprint, face, hand, palm, vein
patterns, and voice recordings, from which an identifier template,
such as a faceprint, a minutiae template, or a voiceprint, can be
extracted, and keystroke patterns or rhythms, gait patterns or
rhythms, and sleep, health, or exercise data that contain
- Internet or Network Activity Information, including but not limited
- Browsing history,
- Search history, and c. Information regarding a consumer’s
interaction with an Internet Web site.
- Geolocation. Many businesses collect geolocation information from
California employees to know their precise locations and how fast a
- Information Typically Detected by the Senses
- Olfactory, or
- Similar information.
- Professional or employment-related Information
- Education Information, including information that is not publicly
available personally identifiable information as defined in the
Family Educational Rights and Privacy Act (20 U.S.C. section 1232g,
34 C.F.R. Part 99).
- Inferences from Above Used to Profile
Biometric Information for IL, TX, and WA
According to Illinois BIPA2, “Biometric identifier” means a retina or iris scan,
fingerprint, voiceprint, or scan of hand or face geometry and "Biometric
information" means any information, regardless of how it is captured, converted,
stored, or shared, based on an individual's biometric identifier used to identify
an individual. This definition excludes other data points such as photographs,
demographic data, and writing samples.
The Washington Biometric Identifier3 defines "Biometric identifier" as “data
generated by automatic measurements of an individual's biological characteristics,
such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological
patterns or characteristics that is used to identify a specific individual.”
Notice and Consent
- Illinois BIPA requires employers to obtain a “written release.”
Regardless of your headquarter, as long
as your employees are in Illinois, you must obtain these employees’
releases in writing.
- Texas3 and Washington4 do not specify that consent
must be given in writing.
Want to stay ahead of the CCPA and biometric regulations? Implement a
proactive stategy for data privacy and have
your employees’ consent for use of their personal information in writing
- Develop a written policy that is made available to employees addressing
how your business will collect, use, distribute, and destroy biometric
data. This policy must include a retention guideline and guidelines
for permanently destroying unused BIPA protected data.
- Under BIPA, a private entity must destroy biometric identifiers
and information once the purpose for which they were collected has
been fulfilled or within 3 years of the individual’s “last
interaction” with the employer or entity
(1 Sec 15 (a));
- Texas3 requires the biometric identifiers be destroyed
no later than the first anniversary of the date of the
purpose for collecting the identifier expires.
- Provide written notice to all impacted employees that biometric
identifiers or information are being collected and stored as well as
the specific purpose and time period during which the identifiers or
information will be collected, stored and used. Manage your risk by
clearly inform and notify your employees and customers on how you handle
their biometric data, including and not limited to:
- How long to keep their biometric data?
- When and how will the biometric data be destroyed?
- Will the biometric data be shared or processed by a
third-party vendor or partners?
- How will the biometric data be handled if the business is
sold, closed, or enters bankruptcy?
- Encrypt the biometric data at
rest and in transit.
- Limit access to the biometric data.
- Obtain written consent or a release, including a signature from all
employees whose biometric identifiers or information will be collected,
stored, and used.
- Follow your written policies.
- Consider the business’ general commerical liability insurance
coverage to make sure it adequately covers for BIPA risks.
Consult a biometric compliance expert and your
labor attorney to protect your business.
- California Consumer Privacy Act (CCPA) - AB-375
- Illinois Biometric Information Privacy Act
- Texas Business & Commerce Code – BUS & COM 503.001 Capture or Use of Biometric Identifier
- Washington Biometric Identifiers House Bill 1493
- Five Things to Know About Biometrics in the Workplace (California) - Labor Code section 1051 prohibits employers from sharing this information with a third party.
- BIPA Update: Class Actions on the Rise in Illinois Courts. Up to 213 BIPA cases have been filed in 2018 and 2019 in Illinois as of June 2016