| Old | New | Differences | |
|---|---|---|---|
| 1 | - | ||
| 1 | + | Amended IN Senate March 28, 2022 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Senate Bill No. 1189Introduced by Senator Wieckowski(Coauthor: Senator Newman)(Coauthor: Assembly Member Luz Rivas)February 17, 2022 An act to add Title 1.81.7 (commencing with Section 1798.300) to Part 4 of Division 3 of the Civil Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTSB 1189, as amended, Wieckowski. Biometric information.The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information. information, as prescribed. The bill would require a private entity to comply with that retention schedule and those guidelines. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would prohibit a private entity from conditioning the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a)(1)Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2)Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting.(G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California. a federal, state, or local government agency or an academic institution.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true: satisfied.(A)The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B)The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individuals representative.(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).(b)(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from the disclosure of a persons biometric information. information or use for advertising purposes a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).1798.308. (a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.(b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individuals rights under this title. | |
| 2 | 2 | ||
| 3 | - | ||
| 3 | + | Amended IN Senate March 28, 2022 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Senate Bill No. 1189Introduced by Senator Wieckowski(Coauthor: Senator Newman)(Coauthor: Assembly Member Luz Rivas)February 17, 2022 An act to add Title 1.81.7 (commencing with Section 1798.300) to Part 4 of Division 3 of the Civil Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTSB 1189, as amended, Wieckowski. Biometric information.The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information. information, as prescribed. The bill would require a private entity to comply with that retention schedule and those guidelines. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would prohibit a private entity from conditioning the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO | |
| 4 | 4 | ||
| 5 | - | ||
| 5 | + | Amended IN Senate March 28, 2022 | |
| 6 | 6 | ||
| 7 | - | Amended IN Senate April 07, 2022 | |
| 8 | 7 | Amended IN Senate March 28, 2022 | |
| 9 | 8 | ||
| 10 | 9 | CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION | |
| 11 | 10 | ||
| 12 | 11 | Senate Bill | |
| 13 | 12 | ||
| 14 | 13 | No. 1189 | |
| 15 | 14 | ||
| 16 | 15 | Introduced by Senator Wieckowski(Coauthor: Senator Newman)(Coauthor: Assembly Member Luz Rivas)February 17, 2022 | |
| 17 | 16 | ||
| 18 | 17 | Introduced by Senator Wieckowski(Coauthor: Senator Newman)(Coauthor: Assembly Member Luz Rivas) | |
| 19 | 18 | February 17, 2022 | |
| 20 | 19 | ||
| 21 | 20 | An act to add Title 1.81.7 (commencing with Section 1798.300) to Part 4 of Division 3 of the Civil Code, relating to privacy. | |
| 22 | 21 | ||
| 23 | 22 | LEGISLATIVE COUNSEL'S DIGEST | |
| 24 | 23 | ||
| 25 | 24 | ## LEGISLATIVE COUNSEL'S DIGEST | |
| 26 | 25 | ||
| 27 | 26 | SB 1189, as amended, Wieckowski. Biometric information. | |
| 28 | 27 | ||
| 29 | - | The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information, as prescribed. The bill would require a private entity to comply with that retention schedule and those guidelines. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would prohibit a private entity from conditioning the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages. | |
| 28 | + | The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information. information, as prescribed. The bill would require a private entity to comply with that retention schedule and those guidelines. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would prohibit a private entity from conditioning the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages. | |
| 30 | 29 | ||
| 31 | 30 | The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines sensitive personal information to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer. | |
| 32 | 31 | ||
| 33 | - | On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information, as prescribed. The bill would require a private entity to comply with that retention schedule and those guidelines. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would prohibit a private entity from conditioning the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages. | |
| 32 | + | On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information. information, as prescribed. The bill would require a private entity to comply with that retention schedule and those guidelines. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. The bill would prohibit a private entity from conditioning the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages. | |
| 34 | 33 | ||
| 35 | 34 | ## Digest Key | |
| 36 | 35 | ||
| 37 | 36 | ## Bill Text | |
| 38 | 37 | ||
| 39 | - | The people of the State of California do enact as follows:SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting | |
| 38 | + | The people of the State of California do enact as follows:SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a)(1)Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2)Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting.(G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California. a federal, state, or local government agency or an academic institution.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true: satisfied.(A)The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B)The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individuals representative.(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).(b)(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from the disclosure of a persons biometric information. information or use for advertising purposes a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).1798.308. (a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.(b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individuals rights under this title. | |
| 40 | 39 | ||
| 41 | 40 | The people of the State of California do enact as follows: | |
| 42 | 41 | ||
| 43 | 42 | ## The people of the State of California do enact as follows: | |
| 44 | 43 | ||
| 45 | - | SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting | |
| 44 | + | SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a)(1)Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2)Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting.(G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California. a federal, state, or local government agency or an academic institution.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true: satisfied.(A)The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B)The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individuals representative.(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).(b)(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from the disclosure of a persons biometric information. information or use for advertising purposes a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).1798.308. (a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.(b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individuals rights under this title. | |
| 46 | 45 | ||
| 47 | 46 | SECTION 1. Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read: | |
| 48 | 47 | ||
| 49 | 48 | ### SECTION 1. | |
| 50 | 49 | ||
| 51 | - | TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting | |
| 50 | + | TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a)(1)Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2)Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting.(G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California. a federal, state, or local government agency or an academic institution.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true: satisfied.(A)The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B)The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individuals representative.(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).(b)(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from the disclosure of a persons biometric information. information or use for advertising purposes a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).1798.308. (a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.(b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individuals rights under this title. | |
| 52 | 51 | ||
| 53 | - | TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting | |
| 52 | + | TITLE 1.81.7. Biometric Information1798.300. As used in this title:(a)(1)Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2)Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting.(G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California. a federal, state, or local government agency or an academic institution.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment.1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true: satisfied.(A)The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B)The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individuals representative.(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).(b)(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian.1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from the disclosure of a persons biometric information. information or use for advertising purposes a persons biometric information.1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).1798.308. (a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.(b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individuals rights under this title. | |
| 54 | 53 | ||
| 55 | 54 | TITLE 1.81.7. Biometric Information | |
| 56 | 55 | ||
| 57 | 56 | TITLE 1.81.7. Biometric Information | |
| 58 | 57 | ||
| 59 | - | 1798.300. As used in this title:(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting. | |
| 58 | + | 1798.300. As used in this title:(a)(1)Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity.(2)Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.(a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity.(2) Biometric information does not include any of the following:(A) A writing sample or written signature.(B) A photograph or video.(C) A human biological sample used for valid scientific testing or screening.(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.(F) Information captured from a patient in a health care setting.(G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography.(b) Business purpose has the same meaning as that term is defined in Section 1798.140.(c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.(2) Private entity does not include the University of California. a federal, state, or local government agency or an academic institution.(d) Written release means either of the following: (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. (2) In the context of employment, a release executed by an employee as a condition of employment. | |
| 60 | 59 | ||
| 61 | 60 | ||
| 62 | 61 | ||
| 63 | 62 | 1798.300. As used in this title: | |
| 63 | + | ||
| 64 | + | (a)(1)Biometric information means a persons physiological, biological, or behavioral characteristics, including information pertaining to an individuals deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity. | |
| 65 | + | ||
| 66 | + | ||
| 67 | + | ||
| 68 | + | (2)Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. | |
| 69 | + | ||
| 70 | + | ||
| 64 | 71 | ||
| 65 | 72 | (a) (1) Biometric information means the data of an individual generated by automatic measurements of an individuals unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individuals identity. | |
| 66 | 73 | ||
| 67 | 74 | (2) Biometric information does not include any of the following: | |
| 68 | 75 | ||
| 69 | 76 | (A) A writing sample or written signature. | |
| 70 | 77 | ||
| 71 | 78 | (B) A photograph or video. | |
| 72 | 79 | ||
| 73 | 80 | (C) A human biological sample used for valid scientific testing or screening. | |
| 74 | 81 | ||
| 75 | 82 | (D) A physical description, including height, weight, hair color, eye color, or a tattoo description. | |
| 76 | 83 | ||
| 77 | 84 | (E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum. | |
| 78 | 85 | ||
| 79 | - | (F) Information captured from a patient in a health care setting. | |
| 86 | + | (F) Information captured from a patient in a health care setting. | |
| 80 | 87 | ||
| 81 | 88 | (G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography. | |
| 82 | 89 | ||
| 83 | 90 | (b) Business purpose has the same meaning as that term is defined in Section 1798.140. | |
| 84 | 91 | ||
| 85 | 92 | (c) (1) Private entity means an individual, partnership, corporation, limited liability company, association, or similar group, however organized. | |
| 86 | 93 | ||
| 87 | - | (2) Private entity does not include a federal, state, or local government agency or an academic institution. | |
| 94 | + | (2) Private entity does not include the University of California. a federal, state, or local government agency or an academic institution. | |
| 88 | 95 | ||
| 89 | 96 | (d) Written release means either of the following: | |
| 90 | 97 | ||
| 91 | 98 | (1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given. | |
| 92 | 99 | ||
| 93 | 100 | (2) In the context of employment, a release executed by an employee as a condition of employment. | |
| 94 | 101 | ||
| 95 | - | 1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied.(2) One year after the individuals last intentional interaction with the private entity.(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individuals representative.(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court. | |
| 102 | + | 1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true: satisfied.(A)The individual from whom the biometric information was collected freely consented to the original purpose for the collection.(B)The individual from whom the biometric information was collected could have declined the collection without consequence.(2) One year after the individuals last intentional interaction with the private entity.(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individuals representative.(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).(b)(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court. | |
| 96 | 103 | ||
| 97 | 104 | ||
| 98 | 105 | ||
| 99 | - | 1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earliest of the following: | |
| 106 | + | 1798.301. (a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earlier earliest of the following: | |
| 100 | 107 | ||
| 101 | - | (1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied. | |
| 108 | + | (1) The date on which the initial purpose for collecting or obtaining the biometric information is satisfied if both of the following are true: satisfied. | |
| 109 | + | ||
| 110 | + | (A)The individual from whom the biometric information was collected freely consented to the original purpose for the collection. | |
| 111 | + | ||
| 112 | + | ||
| 113 | + | ||
| 114 | + | (B)The individual from whom the biometric information was collected could have declined the collection without consequence. | |
| 115 | + | ||
| 116 | + | ||
| 102 | 117 | ||
| 103 | 118 | (2) One year after the individuals last intentional interaction with the private entity. | |
| 104 | 119 | ||
| 105 | 120 | (3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individuals representative. | |
| 106 | 121 | ||
| 107 | 122 | (b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a). | |
| 108 | 123 | ||
| 124 | + | (b) | |
| 125 | + | ||
| 126 | + | ||
| 127 | + | ||
| 109 | 128 | (c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court. | |
| 110 | - | ||
| 111 | - | (d) This section shall not apply to any disclosures made to a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the subjects biometric information is disclosed to a public or private nonprofit secondary educational institution for the purpose of scientific research or educational activities, as described in paragraph (4) of subdivision (c) of Section 56.184. | |
| 112 | 129 | ||
| 113 | 130 | 1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:(A) To provide a service requested or authorized by the subject of the biometric information.(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.(2) The private entity first does both of the following:(A) Informs the person or the persons legally authorized representative, in writing, of both of the following:(i) The biometric information being collected, stored, or used.(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.(B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative.(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function.(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian. | |
| 114 | 131 | ||
| 115 | 132 | ||
| 116 | 133 | ||
| 117 | 134 | 1798.302. (a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a persons biometric information unless both of the following are true: | |
| 118 | 135 | ||
| 119 | 136 | (1) The private entity requires the biometric information for either of the following purposes: | |
| 120 | 137 | ||
| 121 | 138 | (A) To provide a service requested or authorized by the subject of the biometric information. | |
| 122 | 139 | ||
| 123 | 140 | (B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301. | |
| 124 | 141 | ||
| 125 | 142 | (2) The private entity first does both of the following: | |
| 126 | 143 | ||
| 127 | 144 | (A) Informs the person or the persons legally authorized representative, in writing, of both of the following: | |
| 128 | 145 | ||
| 129 | 146 | (i) The biometric information being collected, stored, or used. | |
| 130 | 147 | ||
| 131 | 148 | (ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used. | |
| 132 | 149 | ||
| 133 | 150 | (B) Receives a written release executed by the subject of the biometric information or by the subjects legally authorized representative. | |
| 134 | 151 | ||
| 135 | 152 | (b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or otherwise combined with, another consent- or permission-seeking instrument or function. | |
| 136 | 153 | ||
| 137 | 154 | (2) A private entity shall not combine a written release described in subdivision (a) with an employment contract. | |
| 138 | 155 | ||
| 139 | 156 | (3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minors parent or guardian. | |
| 140 | 157 | ||
| 141 | - | 1798.303. A private entity shall not sell, lease, trade, or otherwise profit from the disclosure of a persons biometric information or use for advertising purposes a persons biometric information. | |
| 158 | + | 1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from the disclosure of a persons biometric information. information or use for advertising purposes a persons biometric information. | |
| 142 | 159 | ||
| 143 | 160 | ||
| 144 | 161 | ||
| 145 | - | 1798.303. A private entity shall not sell, lease, trade, or otherwise profit from the disclosure of a persons biometric information or use for advertising purposes a persons biometric information. | |
| 162 | + | 1798.303. A private entity shall not sell, lease, trade, use for advertising purposes, or otherwise profit from the disclosure of a persons biometric information. information or use for advertising purposes a persons biometric information. | |
| 146 | 163 | ||
| 147 | 164 | 1798.304. A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:(1) The data that will be disclosed.(2) The reason for the disclosure.(3) The recipients of the biometric information.(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative.(c) The disclosure meets either of the following criteria:(1) It is required by law.(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction. | |
| 148 | 165 | ||
| 149 | 166 | ||
| 150 | 167 | ||
| 151 | 168 | 1798.304. A private entity shall not disclose biometric information unless any of the following are true: | |
| 152 | 169 | ||
| 153 | 170 | (a) The subject of the biometric information, or the subjects legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following: | |
| 154 | 171 | ||
| 155 | 172 | (1) The data that will be disclosed. | |
| 156 | 173 | ||
| 157 | 174 | (2) The reason for the disclosure. | |
| 158 | 175 | ||
| 159 | 176 | (3) The recipients of the biometric information. | |
| 160 | 177 | ||
| 161 | 178 | (b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subjects legally authorized representative. | |
| 162 | 179 | ||
| 163 | 180 | (c) The disclosure meets either of the following criteria: | |
| 164 | 181 | ||
| 165 | 182 | (1) It is required by law. | |
| 166 | 183 | ||
| 167 | 184 | (2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction. | |
| 168 | 185 | ||
| 169 | 186 | 1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information. | |
| 170 | 187 | ||
| 171 | 188 | ||
| 172 | 189 | ||
| 173 | 190 | 1798.305. A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entitys industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information. | |
| 174 | 191 | ||
| 175 | 192 | 1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.(2) Actual damages.(b) Punitive damages.(c) Reasonable attorneys fees and litigation costs.(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate. | |
| 176 | 193 | ||
| 177 | 194 | ||
| 178 | 195 | ||
| 179 | 196 | 1798.306. An individual alleging a violation of this title may bring a civil action for any of the following relief: | |
| 180 | 197 | ||
| 181 | 198 | (a) The greater of either of the following: | |
| 182 | 199 | ||
| 183 | 200 | (1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day. | |
| 184 | 201 | ||
| 185 | 202 | (2) Actual damages. | |
| 186 | 203 | ||
| 187 | 204 | (b) Punitive damages. | |
| 188 | 205 | ||
| 189 | 206 | (c) Reasonable attorneys fees and litigation costs. | |
| 190 | 207 | ||
| 191 | 208 | (d) Any other relief, including equitable or declaratory relief, that the court determines appropriate. | |
| 192 | 209 | ||
| 193 | 210 | 1798.307. This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.). | |
| 194 | 211 | ||
| 195 | 212 | ||
| 196 | 213 | ||
| 197 | 214 | 1798.307. This title does not do any of the following: | |
| 198 | 215 | ||
| 199 | 216 | (a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person. | |
| 200 | 217 | ||
| 201 | 218 | (b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191). | |
| 202 | 219 | ||
| 203 | 220 | (c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.). | |
| 204 | 221 | ||
| 205 | 222 | 1798.308. (a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.(b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individuals rights under this title. | |
| 206 | 223 | ||
| 207 | 224 | ||
| 208 | 225 | ||
| 209 | 226 | 1798.308. (a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service. | |
| 210 | 227 | ||
| 211 | 228 | (b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individuals rights under this title. |