What the California Consumer Privacy Act means for biometricsJustine Brown | May 8, 2019
Add California to the list of states with laws prohibiting the use of facial recognition technology to identify people without their informed consent. Other states with a similar regulation include Texas, Illinois and Washington.
Last June, California passed the California Consumer Privacy Act, which will change how companies in the state collect and commercialize consumer data. The groundbreaking consumer privacy rights law, which goes into effect on Jan. 1, 2020, enacts rules that make the collection, sharing and sale of personal information, including biometrics, more transparent.
How the legislation will govern biometrics needs additional clarification, but here is what’s known so far:
- The California Consumer Privacy Act includes biometric information within the definition of personal information, and defines it as “an individual’s physiological, biological or behavioral characteristics … that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina … [and] face …, from which an identifier template such as a faceprint … can be extracted ….”
- The law has three thresholds for businesses. If the business has annual gross revenue of more than $25 million or annually receives the personal information of 50,000 or more consumers, it must comply with the law. If a company is collecting the personal information of more than 137 people a day, it must comply with the law.
What the law means for businesses that use biometrics
Businesses that must comply with the law need to let consumers know if they are collecting biometric information. Businesses must also be prepared to provide that information to consumers should they ask for it and delete that information if a consumer requests it.
What happens if a business doesn’t comply? The California attorney general can enforce the law, subject to a thirty-day cure period. The penalty for intentional violations can total $7,500 per violation. Facebook, Google, Comcast, AT&T and Verizon lobbied against the legislation while privacy advocates supported it.
The California attorney general is likely to amend and clarify the law once before it goes into effect approximately six months from now. Companies that conduct business in California should start preparing now. Failing to comply can mean stiff penalties.