With special thanks to our data privacy colleague Helena Engfeldt for her contributions.
On February 17, 2022, California Senator Bob Wieckowski introduced a bill (SB 1189) that would add protections for biometric information and establish a private right of action permitting individuals to allege a violation of the law and bring a civil action. The legislation is similar to the Biometric Information Privacy Act in Illinois (BIPA) which is creating expensive headaches for Illinois employers. (Read about the latest BIPA developments here.) If enacted, the law will cover all employers that use biometric time-keeping systems in California. Many employers would have to navigate the law alongside other California privacy laws such as the California Consumer Privacy Act (CCPA).
Here’s what employers need to know about SB 1189:
Covered employers?
The bill would apply to any private entity regardless of size. “Private entity” is defined as an individual, partnership, corporation, limited liability company, association, or similar group, however organized.
How does the bill define biometric information?
- A person’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity;
- It includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
What obligations would the bill create for employers?
First, the bill would prohibit employers from collecting or capturing a person’s biometric information unless the employer requires the biometric information either to (i) provide a service requested or authorized by the subject of the biometric information, or (ii) satisfy another valid business purpose (as defined in the CCPA) which is included in a written public policy (see below).
Prior to collecting or capturing a person’s biometric information, the employer must:
- Inform the person or their legally authorized representative, in writing, of both of the biometric information being collected, stored, or used, and the specific purpose and length of time for which the biometric information is being collected, stored, or used, and
- Receive a written release executed by the subject of the biometric information or their legally authorized representative. (Note: the written release cannot not be combined with an employment contract or another consent form. And subject to exceptions a written release is also required before disclosure of the biometric information)
Employers in possession of biometric information would be required to develop and make available to the public a written policy that establishes a retention schedule and guidelines for destroying biometric information. In general, destruction of the information would be required no later than one year after the individual’s last intentional interaction with the private entity.
Is a civil action available for alleged violations?
Yes. This is where the danger lies. Individuals alleging a violation may bring a civil action for any of the following:
- The greater of either of the following:
- Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.
- Actual damages.
- Punitive damages.
- Reasonable attorney’s fees and litigation costs.
- Any other relief, including equitable or declaratory relief, that the court determines appropriate.
What should employers do now? To get ahead, we recommend:
- Conducting an audit of company operations to determine where and how biometric information is potentially being collected (this is something businesses subject to the CCPA should have done with respect to all categories of personal information, and ahead of January 1, 2023 businesses should separately consider whether and to what extent they process “sensitive personal information” including biometric information as such processing trigger new compliance obligations under the CCPA from January 1, 2023);
- Taking stock of the purpose and terms of any collection of biometric information;
- Investigating how the company could implement retention schedules / destruction of biometric information;
- Monitoring the status of the bill (by keeping up with the Employer Report!).