California Amends CPRA to Protect Biometric Data

Over the last several years, California legislators have been leading the country in creating new privacy protections for consumers.

These legislative actions, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) have been primarily focused on granting consumers the right to know when organizations collect, retain, and sell their personal data, the nature of the personal data collected, the right to correct, delete, and transfer that information, and the right to opt out of collection and sale.

Recently proposed amendments seek to expand these rights and protections even further, with Senate Bill 1189, which would regulate the way data processors can use California consumers’ biometric data.

Introduction of Biometric Information Protections

SB 1189 was introduced by California State Senator Bob Wieckowski on February 17, 2022. Under this bill, the data privacy rights and protections afforded under the CPRA would be expanded to include specific protections for biometric information.

Under SB 1189, biometric information has the same broad definition as the CCPA, which is, “a person’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.”

Although the SB 1189 definition of biometric information is the same, the application of the bill includes one major difference from the CCPA, in that it applies to private entities.

Under the bill, private entities would be prohibited from collecting, retaining, distributing or purchasing a person’s biometric information, unless they can prove the information is required to provide the consumer’s requested service or to satisfy a valid “business purpose,” such as:

• Auditing the current interaction with a consumer;

• Detecting and protecting against security incidents or threats;

• Acting to improve or repair errors impairing the organization’s system;

• Using the information for a short-term and transient use that does not include re-distribution of personal information or use of personal information to better target the consumer;

• Performing services for the business or service provider; or

• Undertaking internal research for development and demonstration of the organization’s technologies or the quality or safety of an organization’s provided goods or service.

Entities must also provide the consumer with written notice of the biometric information being collected, stored, or used–and the specific purpose and length of time for these activities. Consumers would need to be given the opportunity to opt-in to these activities.

If a private entity does intend to possess consumers’ biometric information, they must also provide the public with a written policy establishing a retention schedule and policy for destroying biometric information that will no longer be retained, or was collected more than one year after its owner’s last intentional interaction with the entity.

If it is determined that a private entity collects, stores, or utilizes a consumer’s biometric information in an improper or impermissible manner, the consumer may bring a private right of action against the entity alleging a violation of the CCPA–as amended by the CPRA–and bring a civil action for the greater of statutory damages between $100 and $1,000 per violation per day, and actual damages, punitive damages, reasonable attorney’s fees and litigation costs; or any relief that the court determines to be appropriate, including equitable or declaratory relief.

Impact of the Proposed Legislation

Although SB 1189 has yet to be approved, there are currently 13 states that have enacted or proposed privacy legislation that would safeguard biometric information. This is likely because, as Senator Wieckowski says, “biometric technologies are becoming more prevalent in our society and it is important that we safeguard consumers from this encroachment into their privacy.”

Although the CPRA is not set to take effect until January 1, 2023, Section 25 of the CPRA limits the ability of the California legislature to make changes to the CPRA unless the changes are “consistent with and further the purposes and intent” of the CCPA, as amended by the CPRA provisions.

As such, this standard must be met in order for the most recent proposed amendment to the CRPA, Senate Bill 1189 (SB 1189 or “bill”) to be approved and implemented by legislators.