Schedule a Consultation: 858.483.9200
San Diego Businesses: Prepare to Protect Biometric Data
For several years now, Illinois has been on the forefront of protecting biometric data. Biometric data encompasses any sort of personally identifying biological information like a fingerprint or a retinal print or biometric information like the manner in which you walk. However, starting on January 1, 2020, California will leapfrog Illinois in the protection of biometric data. The recently enacted California Consumer Privacy Act covers biometric data with an expansive definition — much broader than the definition used in Illinois. See Cal. Civ. Code, § 1798.100 et seq. Employers are increasingly using fingerprints and facial recognition software to secure locks, computers, email accounts, and for verifying clocking in and out for hourly workers. Starting in 2020, employers will need to have policies and procedures in place for obtaining consents and providing notice to employees about how that information is collected, stored, shared, and destroyed. An experienced San Diego corporate attorney can help draft and review such policies and procedures and ensure that your business is in compliance.
A recent decision from the Illinois Supreme Court gives a good example of what is likely to be the norm soon in California. The case was Rosenbach v. Six Flags Entertainment Corporation, Case No. 2019 IL 123186 (Ill. Supreme Court January 25, 2019). That case involved a summer season pass bought for a teenager to the Six Flags Amusement park located west and a bit north of Chicago. Season passes are now activated by use of the holder’s fingerprint, biometric data. Six Flags scanned the fingerprint of the young man involved in the case and stored that information electronically and used it to allow the young man to enter the park. However, no notice or other information was provided to the young man or his parents. Illinois has a statute called the Illinois Biometric Privacy Act. This Act requires certain written notifications when biometric information is collected. The notice must inform the person that biometric information is being collected, what type of biometric information is being collected, how it is stored, what the information will be used for, how it will be shared, and more. The Illinois Act allows a private right of action for violations.
In the Rosenbach case, Six Flags did not provide any of the required notices. His mother eventually filed suit on behalf of her son. Six Flags defended by claiming that there had been no injury to the young man or his parents. The information was not shared or lost in a data breach or otherwise compromised. However, the Illinois Supreme Court rejected the defense. The court held that no actual injury was needed as a precondition for filing suit under the Act.
The case provides another important reminder that caution and privacy compliance will soon become necessary here in California for businesses that use any form of biometric data. Under the California Consumer Privacy Act, what constitutes “biometric information” is broad. The definition is long but important to set out in full:
“an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.” Cal. Civ. Code §1798.140(B).
Obviously, the California Act is different from the Illinois Act and California courts may well require some sort of injury before suit can be brought under the California statute. As currently written, the California Consumer Privacy Act allows a private right of action only for data breaches. However, that may be changed or expanded by the courts. A private right of action exists under other laws like the California Unfair Competition Law. Cal. Bus. & Prof. Code § 17200 et seq. That law prohibits businesses from engaging in “unlawful” practices. Often what is an “unlawful” practice is taken from other statutes. Thus, careful attention is needed to ensure compliance and to avoid results like the Illinois Rosenbach case.
Contact San Diego Corporate Law Today
If you would like more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard’s law practice is focused on business, transactional, and corporate matters and he proudly provides legal services to business owners in San Diego and the surrounding communities. Like us on Facebook.
You Might Also Like:
Sexual Harassment Claims: Can I Make My Employees Take Polygraph Tests?
Reasons for Caution: Employee-Operated Social Media Accounts
Keeping Biometric Data Private and Secure
Business Identity Theft: As Destructive as Personal Identity Theft
Data Security and M&A Due Diligence: Lessons From Marriott/Starwood