What the California Consumer Privacy Act means for biometrics

authenticator app biometric authentication identity verificationAdd California to the list of states with laws prohibiting the use of facial recognition technology to identify people without their informed consent. Other states with a similar regulation include Texas, Illinois and Washington.

Last June, California passed the California Consumer Privacy Act, which will change how companies in the state collect and commercialize consumer data. The groundbreaking consumer privacy rights law, which goes into effect on Jan. 1, 2020, enacts rules that make the collection, sharing and sale of personal information, including biometrics, more transparent.  

How the legislation will govern biometrics needs additional clarification, but here is what’s known so far:

  • The California Consumer Privacy Act includes biometric information within the definition of personal information, and defines it as “an individual’s physiological, biological or behavioral characteristics … that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina … [and] face …, from which an identifier template such as a faceprint … can be extracted ….”
  • The law has three thresholds for businesses. If the business has annual gross revenue of more than $25 million or annually receives the personal information of 50,000 or more consumers, it must comply with the law. If a company is collecting the personal information of more than 137 people a day, it must comply with the law.

What the law means for businesses that use biometrics

Businesses that must comply with the law need to let consumers know if they are collecting biometric information. Businesses must also be prepared to provide that information to consumers should they ask for it and delete that information if a consumer requests it.

Businesses that sell personal information acquired from facial recognition technology to third parties need to remove images of children who are under 16 before the data is sold. Or, they can capture opt-in consent from children between 13 and 16, and from a parent or guardian if the child is under 13. The law also requires the business’ homepage to contain a link labelled Do Not Sell My Personal Information and in the privacy policy. When people click on this link, they must be taken to a form that permits them to opt out of the sale of their personal information.

What happens if a business doesn’t comply? The California attorney general can enforce the law, subject to a thirty-day cure period. The penalty for intentional violations can total $7,500 per violation. Facebook, Google, Comcast, AT&T and Verizon lobbied against the legislation while privacy advocates supported it.

The California attorney general is likely to amend and clarify the law once before it goes into effect approximately six months from now.  Companies that conduct business in California should start preparing now. Failing to comply can mean stiff penalties.

Learn more about Veridium’s biometric authentication platform.