In 2018, California took a ground-breaking step in data privacy with the enactment of the California Consumer Privacy Act (CCPA), the first comprehensive state law of its kind. Building on this foundation, the California Privacy Rights Act (CPRA) was introduced in 2020, expanding and enhancing the protection of consumer rights. This blog post delves into the intricacies of biometric privacy laws in California, examining the CCPA, the role of the California Privacy Protection Agency, and the implications of recent regulations that came into effect on March 31, 2023.
1. The CCPA and CPRA: A Consumer-Centric Approach
California’s data privacy framework distinguishes itself by granting consumers a series of access and “opt-out” rights, a departure from the “opt-in” consent approach adopted by the GDPR and some other states. The CCPA, enacted in 2018, laid the groundwork, and the CPRA, introduced in 2020, expanded and fortified these provisions.
The California Privacy Protection Agency plays a pivotal role in enforcing and implementing these laws, promulgating regulations to guide businesses on informing consumers about their rights, handling consumer requests, verifying identities, and applying the law across various provisions and activities.
2. Applicability Criteria: Who is Covered?
The requirements of the CCPA and CPRA apply to entities conducting business in California that meet specific criteria:
- Gross annual revenue exceeding $25 million
- Engaging in the buying, selling, or sharing of personal information for 100,000 or more California residents, households, or devices
- Deriving 50% or more of annual revenue from selling the personal information of California residents
3. Biometric Information under the Law
A notable inclusion in the definition of sensitive personal information is biometric information. The law defines biometric information broadly as “an individual’s physiological, biological, or behavioral characteristics,” encompassing DNA information, facial features, fingerprints, voice recordings, and more. This expansive definition reflects the comprehensive nature of the biometric privacy protections provided by California law.
4. Rights and Limitations: Balancing Privacy and Security
The law generally grants consumers the right to limit the use and disclosure of their sensitive personal information, including biometric data. However, Section 7027(m) of the regulations outlines specific uses and disclosures exempt from the requirement to provide notice or a method for submitting a request to limit. Notably, these exemptions align with security technology applications, including:
- Performing the services or providing the goods expected by an average consumer who requests those goods or services
- Preventing, detecting, and investigating security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information
- Resisting malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions
- Ensuring the physical safety of individuals
Charting the Course in the Biometric Privacy Landscape
As organizations navigate the complex terrain of California’s biometric privacy laws, understanding the nuanced rights and obligations is paramount. The recent regulations, effective from March 31, 2023, add an extra layer of complexity, making it imperative for businesses to stay abreast of developments and ensure compliance with the evolving legal landscape. Striking the right balance between privacy and security is not only a legal requirement but also a crucial step in building trust with consumers in the era of heightened data awareness.
Learn more by downloading SIA’s guide to U.S. Biometric Privacy Laws, which stands as a valuable resource for business users and industry suppliers seeking to navigate the intricate web of biometric privacy laws.