Keypoint: The CPRA, CPA, and VCDPA vary in both their definitions of biometric information/data and their compliance obligations.
This is the second article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between these bills. If you are not already subscribed to our blog, consider subscribing now to stay updated.
In this article, we examine how the three laws will treat biometric information (or biometric data as the term is used in Colorado and Virginia). The California Consumer Privacy Act (CCPA) already addresses biometric information but only as an element of personal information. The CPRA will include certain types of biometric information as “sensitive personal information” and provide consumers the right to limit businesses’ use of that information. Virginia and Colorado will require controllers to obtain consumer consent for the processing of biometric data for the purpose of uniquely identifying a natural person. However, Virginia’s definition of biometric data is much narrower than California’s definition. Meanwhile, Colorado’s law does not define the term at all.
Below is an analysis of this issue.
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The CCPA broadly defines “biometric information” as follows:
“Biometric information” means an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
The CCPA treats biometric information the same as other categories of personal information with the exception that “biometric information collected by a business about a consumer without the consumer’s knowledge” cannot qualify as publicly available information. This exception remains in the CPRA. We analyzed the publicly available carveout under these three laws in our first post in this series.
The CPRA changes the treatment of biometric information in two ways. First, it slightly modifies the first sentence of the definition as follows:
“Biometric information” means an individual’s physiological, biological or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that can be is used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.
Second, the CPRA includes certain types of biometric information in the newly created category of “sensitive personal information.” Specifically, sensitive personal information includes the “processing of biometric information for the purpose of uniquely identifying a consumer.” For example, a customer service call recording may qualify as a voice recording under the definition of biometric information (if an identifier template can be extracted) but it would not constitute sensitive personal information if the voice recording is not being used to identify a consumer.
Further, the CPRA creates new requirements for sensitive personal information such as allowing consumers to limit a business’s use of sensitive personal information to certain defined purposes. The California Privacy Protection Agency also must issue regulations for an opt-out preference signal that indicates a consumer’s intent to limit the use or disclosure of sensitive personal information. We will analyze the CPRA’s treatment of sensitive personal information further in a future article in this series.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA’s treatment of biometric data differs from the CPRA’s treatment of biometric information in four notable respects.
First, the VCPDA contains a more restrictive definition:
“Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. “Biometric data” does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.
Among other differences, the Virginia definition does not reference physiological or behavioral characteristics or DNA and, whereas the CPRA specifically includes voice recordings, the VCDPA specifically excludes them. Also noteworthy, per the VCDPA Work Group’s Final Report (as summarized here), “the VCDPA omitted any reference to or regulation of facial recognition technology because that was a contributing factor to the Washington [Privacy Act’s] failure to pass”. The VCDPA also requires that the data be “generated by automatic measurements” which is not contained in the CPRA’s definition.
Second, the VCPDA does not specifically exclude biometric data from the definition of publicly available information as does the CPRA.
Third, in what may be considered a more restrictive provision than the CPRA, the VCDPA requires controllers to obtain consumer consent prior to processing sensitive data, which is defined to include “biometric data for the purpose of uniquely identifying a natural person.” The VCDPA defines “consent” as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.”
Finally, the VCDPA requires controllers to conduct and document data protection assessments for the processing of sensitive data. We will explore data protection assessments in a future article in this series.
Colorado Privacy Act (CPA)
The CPA’s treatment of biometric data is similar to the VCDPA but differs in two significant respects.
First, the CPA does not define biometric data. In theory, the Attorney General’s Office may define the term during its rulemaking activities although the office has not indicated that it will do so. In the absence of a legislative or regulatory definition, controllers can look to the definition of “biometric data” in Colorado’s data breach notification statute, C.R.S. § 6-1-716, which states:
“Biometric data” means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account.
However, this definition is likely too restrictive for the CPA because it links the use of biometric data to account authentication.
The second notable difference to the VCDPA is the CPA has a stronger definition of “consent” – mirroring the CPRA’s definition:
“Consent” means a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent:
(a) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
(b) Hovering over, muting, pausing, or closing a given piece of content; and
(c) Agreement obtained through dark patterns.
The inclusion of “dark patterns” is particularly notable, the Colorado Attorney General’s Office already has stated that it will consider rulemaking on that topic. The CPA defines “dark patterns” to mean “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.”
Consequences of the Variations
Although all three laws regulate the processing of biometric information/data, the laws vary widely in their definitions and requirements. Given the various approaches, companies subject to these laws will need to inventory their biometric information/data and understand their compliance obligations, such as providing proper notices, obtaining consumer consent or allowing consumers to restrict the use of such data, and conducting data protection assessments.