CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Senate Bill No. 1189Introduced by Senator WieckowskiFebruary 17, 2022 An act to add Title 1.81.7 (commencing with Section 1798.300) to Part 4 of Division 3 of the Civil Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTSB 1189, as introduced, Wieckowski. Biometric information.The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2) Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true:(A) The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B) The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(b) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Senate Bill No. 1189Introduced by Senator WieckowskiFebruary 17, 2022 An act to add Title 1.81.7 (commencing with Section 1798.300) to Part 4 of Division 3 of the Civil Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTSB 1189, as introduced, Wieckowski. Biometric information.The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION
Senate Bill
No. 1189
Introduced by Senator WieckowskiFebruary 17, 2022
Introduced by Senator Wieckowski
February 17, 2022
An act to add Title 1.81.7 (commencing with Section 1798.300) to Part 4 of Division 3 of the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
SB 1189, as introduced, Wieckowski. Biometric information.
The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages.
The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.
On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2) Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true:(A) The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B) The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(b) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2) Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true:(A) The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B) The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(b) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:
### SECTION 1.
TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2) Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true:(A) The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B) The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(b) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2) Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true:(A) The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B) The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(b) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
TITLE 1.81.7. Biometric Information
TITLE 1.81.7. Biometric Information
1798.300. As used in this title:(a) (1) Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2) Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.
1798.300. As used in this title:
(a) (1) Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.
(2) Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
(b) Business purpose has the same meaning as that term is defined in Section 1798.140.
(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.
(2) Private entity does not include the University of California.
(d) Written release means either of the following:
(1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given.
(2) In the context of employment, a release executed by an employee as a condition of employment.
1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true:(A) The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B) The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(b) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.
1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier of the following:
(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true:
(A) The individual from whom the biometric information was collected freely consented to the original purpose for the collection.
(B) The individual from whom the biometric information was collected could have declined the collection without consequence.
(2) One year after the individuals last intentional interaction with the private entity.
(b) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.
1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.
1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:
(1) The private entity requires the biometric information for either of the following purposes:
(A) To provide a service requested or authorized by the subject of the biometric information.
(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.
(2) The private entity first does both of the following:
(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:
(i) The biometric information being collected, stored, or used.
(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.
(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.
(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.
(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.
(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.
1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from a persons biometric information.
1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from a persons biometric information.
1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
1798.304. A private entity shall not disclose biometric information unless any of the following are true:
(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:
(1) The data that will be disclosed.
(2) The reason for the disclosure.
(3) The recipients of the biometric information.
(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.
(c) The disclosure meets either of the following criteria:
(1) It is required by law.
(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.
1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:
(a) The greater of either of the following:
(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.
(2) Actual damages.
(b) Punitive damages.
(c) Reasonable attorneys fees and litigation costs.
(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.
1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
1798.307. This title does not do any of the following:
(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.
(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).