Publications
Article

Analyzing the CCPA’s Impact on the Biometric Privacy Landscape

Legaltech News

When it comes to biometric privacy, all eyes seem to be focused on the Illinois Biometric Information Privacy Act (BIPA), which is quickly developing into the nation’s next class action battleground. But other state privacy statutes that may have gone under the radar also have important implications for the larger patchwork of biometric laws.

For instance, the California Consumer Privacy Act (CCPA), which went into effect at the start of the year, directly implicates a wide swath of entities collecting/using the biometric data of California residents—even if the entity does not maintain any physical presence in the state. The CCPA also poses a significant risk of class action litigation. Taken together, all companies handling biometric data and falling under the scope of the CCPA must take immediate action to ensure strict compliance with California’s game-changing privacy law to mitigate the substantial risk of exposure.

CCPA Overview

Aside from applying to a broad range of business entities, the CCPA contains a far-reaching definition of “personal information” which includes—among other things—biometric data. In fact, the CCPA actually defines the term in a more expansive manner than BIPA.

Biometric data under the CCPA is defined as “an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other with other identifying data, to establish an individual’s identity.” This includes imagery of the iris/retina, fingerprint, hand/palm, and face from which an identifier template can be extracted, as well as sleep, health, or exercise data that contain identifying information.

Because of the broad scope of biometric data covered under the law, many companies that do not fall under the scope of BIPA may nonetheless fall under the CCPA, and will thus have to satisfy the law’s broad range of requirements, which include:

  • Expansive disclosure requirements, including maintaining a detailed privacy policy and providing consumers with a separate privacy notice at the time any biometric data is collected;
  • Compliance with the myriad of rights afforded to consumers to lodge requests regarding the biometric data that is collected, used, disclosed, and/or sold by covered entities, including the right to know, right to access, right to opt-out, right to deletion, and right to equal service and pricing;
  • Data security mandates, which require covered entities to maintain “reasonable security practices and procedures” to protect biometric data from being improperly accessed, acquired, or disclosed;
  • Requirements for certain contractual provisions to be included in all agreements with service providers; and
  • Employee training requirements.

Enforcement

The CCPA provides consumers with a private right of action—albeit a limited one that applies only in a very narrow set of circumstances. Consumers can pursue individual or class litigation if their personal data is impacted by a data breach and the entity is found to have violated its duty to maintain reasonable security measures. Consumers can recover between $100 and $750 in statutory damages per incident.

For all other violations outside this limited set of data breach events, enforcement power rests exclusively with the California attorney general. Here, businesses can be held liable for civil penalties of $2,500 for each violation, or $7,500 for each intentional violation.

Limited Private Right of Action, Expansive Class Action Litigation Risk

Given the CCPA’s narrow private right of action, many businesses assume the law poses a low risk of class action litigation for noncompliance. That is certainly not the case, as the last nine months demonstrate.

During that time, plaintiffs and their attorneys have wasted no time filing a wave of class actions for purported CCPA violations that have no relation to a security incident.

In fact, many such suits have not asserted claims under the CCPA; instead, they have used the CCPA as a predicate for causes of action under California’s plaintiff-friendly Unfair Competition Law (UCL). The California UCL, in turn, bars companies from engaging in business practices that are “unlawful, unfair, or fraudulent” and allows plaintiffs to “borrow” purported violations of other statutes—such as the CCPA—for use in asserting “unlawful” practices claims under the UCL.

Class actions pursuing CCPA claims for allegedly improper biometrics practices have already been filed. In February 2020, Clearview AI was sued for purportedly using facial recognition technology to generate a database containing the faceprints of millions of individuals and then selling access to its database to law enforcement agencies and private companies. In addition to asserting a BIPA cause of action, the Clearview AI plaintiffs also included a UCL claim based on violations of the CCPA; namely, Clearview AI’s failure to provide the requisite notices at collection when the company collected individual’s biometric data.

Compliance Tips

To ensure compliance with the CCPA, companies utilizing biometric data should consider the following:

  • Data Mapping: Conduct a data mapping and inventory exercise, which entails mapping and inventorying every piece of biometric data collected, used, and sold by the company, as well as all its data processing practices. Doing so will allow companies to proactively manage and safeguard biometric data, build out the privacy disclosures that are required by the CCPA, and satisfy consumer rights requests.
  • Privacy Policy: Update organizational privacy policies to include information required to be affirmatively disclosed to consumers under the CCPA pertaining to the business’s biometric data practices and consumer rights.
  • Notice at Collection: Provide consumers with the CCPA’s mandatory “notice at collection” (separate and distinct from the company’s privacy policy)—prior to the time any biometric data is collected. This notice should conspicuously inform individuals biometric data is being collected, used, and/or stored by the company; how that data will be used and/or shared; and the length of time over which the company will retain the data until it is permanently destroyed.
  • Opt-Out: Permit individuals to opt out of the collection of their biometric data.
  • Systems to Comply With Consumer Rights Requests: Maintain systems and procedures to ensure adherence with the myriad of broad consumer rights afforded consumers under California’s new privacy law, including the following: (1) right to know; (2) right to access; (3) right to opt-out; (4) right to deletion; and (5) right to equal service and pricing.
  • Data Security: Maintain “reasonable security practices and procedures” to protect biometric data from being improperly accessed, acquired, or disclosed. In doing so, companies’ security measures should satisfy the reasonable standard of care applicable to the company’s given industry and protect biometric data in a manner that is the same or more protective than the way the company protects other forms of sensitive personal information.
  • Service Provider Contracts: Update service provider contracts to include the mandatory provisions required by the CCPA that will allow companies to maintain the ability to share biometric data with vendors.
  • Consult With Experienced Biometric Privacy Counsel: Consult with experienced biometric privacy counsel before implementing any type of biometric technology to ensure compliance with the CCPA and, from a broader perspective, with today’s constantly-evolving biometric privacy legal landscape.

Conclusion

2020 saw an explosion of bet-the-company BIPA class action litigation, including numerous high-profile suits targeting the biometrics practices of some of the world’s largest tech giants. Companies should expect class litigation for alleged CCPA violations in connection with covered entities’ biometrics practices to follow in 2021—especially given the considerable litigation stemming from alleged violations unrelated to any security (breach) incident that has been seen to date.

From a broader perspective, the CCPA is one of many new privacy and security laws enacted around the country geared toward increasing regulation over biometrics practices and enhancing the privacy/security of such biometric data. The CCPA represents a growing trend by lawmakers to impose more robust regulation over the use/collection of biometric data—further underscoring the importance companies must place on ensuring their biometrics practices keep pace with the fast-changing legal landscape.

While lawmakers’ efforts have been primarily focused on enacting targeted biometric privacy statutes modeled after the well-known Illinois BIPA, the CCPA demonstrates how legislators will also turn to other ways to impose requirements and restrictions over biometrics. And while California is one of the first states to do so through a more comprehensive consumer privacy law, it will certainly not be the last.

Taken together, regardless of location, companies using biometric data for commercial purposes should take proactive steps to review and assess their current consumer privacy compliance. This includes the need to update such plans and policies to comply with the privacy frameworks established by the CCPA, which will become increasingly more common as other states implement the same or substantially similar requirements in the immediate future.

“Analyzing the CCPA’s Impact on the Biometric Privacy Landscape,” by Jeffrey N. Rosenthal, David J. Oberly, and Harrison M. Brown was published in Legaltech News on October 14, 2020.

Reprinted with permission from the October 14, 2020, edition of Legaltech News © 2020 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, reprints@alm.com or visit www.almreprints.com.