California Proposes Amendment to CPRA to Include Biometric Data Protections

Written By Haley Metteauer

Over the last several years, California legislatures have been making great strides in their efforts to improve their consumer’s data privacy rights through the advancement of privacy legislation.

These legislative actions have been primarily focused on a consumer’s right to be made aware of the personal information that organizations collect and retain for their own benefit, and to grant them the right to manage this information. Recently proposed amendments seek to expand these rights and protections even further.

California’s Initial Privacy Efforts

On November 3, 2020, the California Privacy Rights Act (“CPRA”) was passed into law. Through the proper rulemaking authority granted by Assembly Bill 694 (“AB 694”), the CPRA will amend the California Consumer Privacy Act (“CCPA”) on many counts, including:

  • granting consumers the right to opt-out of the sale and distribution of their personal information to third-parties;

  • expanding the consumer’s time-period for requesting that a business provide them with the personal information that was collected about them beyond the 12 month period contained in the CCPA;

  • expanding the consumer’s right to delete unnecessarily collected or incorrect personal information so that the business must comply with the request and then send a request to do the same to all third-parties who have received this personal information from the business;

  • mandating that minors, persons under the age of 16, who opt-out of the sale of their personal information receive a period of 12 months before the business can extend this request again; and

  • granting consumers access to information about how automated decision making is utilized with respect to the consumer and permitting them the right to opt-out of this type of decision-making process. 

Although the CPRA is not set to take effect until January 1, 2023, Section 25 of the CPRA limits the ability of the California legislature to make changes to the CPRA unless the changes are “consistent with and further the purposes and intent” of the CCPA, as amended by the CPRA provisions.

As such, this standard must be met in order for the most recent proposed amendment to the CRPA, Senate Bill 1189 (“SB 1189” or “bill”), to be approved and implemented.

Introduction of Biometric Information Protections

SB 1189 was introduced by State Senator Bob Wieckowski on February 17, 2022. Under this bill, the data privacy rights and protections afforded under the CPRA would be expanded to include specific protections for “biometric information.”

Under SB 1189, “biometric information” has the same broad definition as the CCPA:  "a person’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (“DNA”), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.”

Although the SB 1189 definition of “biometric information” is the same, the application of the bill includes one major difference from the CCPA: it applies to private entities.

Under the bill, private entities would be prohibited from collecting, retaining, distributing or purchasing a person’s biometric information, unless:

  • they can prove the information is required to provide the consumer’s requested service or to satisfy a valid “business purpose,” such as:

    • auditing the current interaction with a consumer;

    • detecting and protecting against security incidents or threats;

    • acting to improve or repair errors impairing the organization’s system;

    • using the information for a short-term and transient use that does not include re-distribution of personal information or use of personal information to better target the consumer;

    • performing services for the business or service provider; or

    • undertaking internal research for development and demonstration of the organization’s technologies or the queslity or safety of an organization’s provided good or service, and  

  • they provide the consumer with written notice of the biometric information being collected, stored, or used and the specific purpose and length of time for which it will be collected, stored, or used and permit the consumer the opportunity to consent to this collection basis.

If the private entity does intend to possess consumer’s biometric information, they must also provide the public with a written policy establishing a retention schedule and guidelines for destroying biometric information which will no longer be retained or was collected more than one year after the individual’s last intentional interaction with the entity.

If it is determined that the private entity collects, stores, or utilizes a consumer’s biometric information in an improper or impermissible manner, the consumer may bring a private right of action against the entity alleging a violation of the CCPA, as amended by the CPRA, and bring a civil action for any of the following remedies:

  • The greater of:

    • statutory damages between $100 and $1,000 per violation per day, and

    • actual damages;

  • Punitive damages;

  • Reasonable attorney’s fees and litigation costs; or

  • Any relief that the court determines to be appropriate, including equitable or declaratory relief.

Potential Impact of the Proposed Legislation

Although SB 1189 has yet to be approved, there are currently 13 states that have enacted or proposed privacy legislation that would safeguard biometric information. This is likely because, as Bob Wieckowski says, “[b]iometric technologies are becoming more prevalent in our society and it is important that we safeguard consumers from this encroachment into their privacy[.]”  

Haley Metteauer
Previous

Utah House Unanimously Approves Utah Consumer Privacy Act
Next

U.S. Issues Executive Order on the Use of Digital Assets and the Cybersecurity Risks