Skip Repeated Content

Is the CCPA’s definition of “biometric information” broader than the definition used by other states?

April 13, 2020

The CCPA defines “personal information” broadly as any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 The statute includes a non-exhaustive list of eleven categories of data that may fall under that definition.  One of those categories is “biometric information.”2

While the CCPA provides a definition of “biometric information,” it is worth noting that the CCPA’s definition differs from the definition of the term within other statutes and legal systems.  The following provides a side-by-side comparison of the definition within the CCPA and the definition within the Illinois Biometric Information Privacy Act (“BIPA”).  In some ways, the California definition may be broader, as it purports to include such things as “imagery” of an individual’s palm or vein patterns, and voice recordings, so long as an “identifier template” can be created from such data.  It also purports to include characteristics such as “keystroke patterns or rhythms” that would rarely be considered “biometric data” by consumers or in other privacy statutes: 

CCPA3

Illinois Biometric Information Privacy Act (“BIPA”)4

“Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.

 

"Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.

 

 

 

For more information and resources about the CCPA visit http://www.CCPA-info.com. 


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code 1798.140(o)(1).

2. Cal. Civil Code 1798.140(o)(1)(E).

3. Cal. Civil Code 1798.140(b).

4. 40 ILCS 14/10.

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.