Facebook’s $550 million settlement announced this week to resolve a lawsuit alleging it violated Illinois’ Biometric Information Privacy Act (BIPA) is the largest consumer privacy settlement in the United States.  While the case was under Illinois law, California recently joined Illinois and other states in providing consumers (and employees) rights and control over their personal information under the California Consumer Privacy Act (CCPA).  The CCPA, which is effective January 1, 2020, requires employers to comply with requirements about the collection, storage and use of employee information, which includes biometric information.  I also spoke this week at Boston University School of Law’s JOSTL & PILJ Symposium on the implications of biometric laws and litigation facing private entities and the current obligations of California employers in respect to biometric information.  With the Facebook settlement, and the CCPA becoming effective in 2020, here is a brief overview of employee’s privacy interests in biometric information under California law.

1. Facebook’s $550 million settlement is a bellwether of the serious concerns over data collection.

Facebook’s settlement involved Illinois’ law, the BIPA, which is only one of a few states that provides for certain protections of an individual’s data, including biometric data.  Illinois, Texas, Washington state, and most recently California have statues that require some type of notice and voluntary consent before biometric information is collected by a private company.  It is important to note that there is no restriction regarding law enforcement’s collection of biometric data.  I expect this to be the next area of focus, and the government’s potential misuse and abuse of this information far exceeds most threats from a private entity.  With California’s CCPA becoming effective January 1, 2020, it is expected that other states will consider similar consumer data protection laws and it is inevitable that litigation will follow.

2. Employer’s obligations under the California Consumer Privacy Act.

The CCPA covers employer’s collection of data for applicants and employees.  The CCPA applies to companies doing business in California that meets any of the following thresholds:

  • Annual gross revenues that exceeds $25 million
  • Annually buys, receives, shares, or sells the personal information of more than 50,000 consumers, households, or devices for commercial purposes (alone or in combination); or
  • Derives 50% or more of annual revenues from selling consumers’ personal information

While the threshold seemingly sets a high bar, the second threshold that pertains to businesses that “receive” personal information of more than 50,000 consumers is not difficult to meet if consumers are tracked based on website visits in combination is information gathered from employees and current customers.  The CCPA requires covered businesses to provide certain notices to consumers (which includes employees) about the type of information that is collected and how the business uses the information.  The law also requires the consumer to be able to request a copy of the information collected on them and to request that the data be deleted.

3. The CCPA was amended to extend some, but not all, deadlines for employers to comply with the law.

The CCPA became effective January 1, 2020, but AB 25 delays compliance for employers until January 1, 2021 from all provisions of CCPA except for two provisions.  As of January 1, 2020, businesses must comply with the required to take reasonable measure to protect consumers’ data, and AB 25 does not delay the right for consumers to bring a private civil action for failures to do so.  In addition, AB 25 does not delay the obligation of employers to inform applicants and employees about the types of categories of personal information being collected collected and how that information will be used.

4. The CCPA covers many categories of personal information, including biometric data.

The CCPA defines “personal information” as eleven categories of information.  The law defines personal information as follows:

 “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

The CCPA also makes clear that its provisions apply regardless of how the data is collected, such as online over the Internet, using pen and paper, or even through an algorithm.

5. California Labor Code section 1051 prohibition on employers from sharing biometric information with third parties.

Existing California Labor Code section 1051 prohibits California employers from obtaining fingerprints or photographs from employees and then sharing this information to a third party.  Violation of the section is a misdemeanor.  Therefore, biometric information may be used in the workplace, such as for time clocks, but employers may not share this information with an outside third party under this Labor Code section.

Employers should review if the vendor providing the technology to the company has access to the employee biometric information.  Moreover, employers that obtain this information must be careful to protect the information from inadvertent disclosures to third parties.  Disclosures from being hacked or unintentional inadvertent disclosure by the employer would likely be actionable under Labor Code section 1051 and California’s constitutional right to privacy.  This breach of biometric information would also violate the CCPA.

The California Attorney General enforcement of the CCPA does not start until July 1, 2020.  In the meantime, the Attorney General is seeking public input to develop regulations to clarify how the CCPA will apply to California businesses.  More information about the rulemaking process and announcements of new regulations can be found at the Attorney General’s website here.