Bill Text: CA SB1189 | 2021-2022 | Regular Session | Amended
Bill Title: Biometric information.
Spectrum: Partisan Bill (Democrat 3-0)
Status: (Introduced - Dead) 2022-05-19 - May 19 hearing: Held in committee and under submission. [SB1189 Detail]
Download: California-2021-SB1189-Amended.html
|
Amended
IN
Senate
April 07, 2022 |
|
Amended
IN
Senate
March 28, 2022 |
CALIFORNIA LEGISLATURE—
2021–2022 REGULAR SESSION
Senate Bill
No. 1189
| Introduced by Senator Wieckowski (Coauthor: Senator Newman) (Coauthor: Assembly Member Luz Rivas) |
February 17, 2022 |
An act to add Title 1.81.7 (commencing with Section 1798.300) to Part 4 of Division 3 of the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
SB 1189, as amended, Wieckowski.
Biometric information.
The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, establishes various rights that a consumer, as defined, has with respect to personal information, as defined, collected by a business, as defined, including the right of a person to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information. The act also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to certain prescribed uses, including a use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. The act defines “sensitive personal
information” to mean, among other things, the processing of biometric information, as defined, for the purpose of uniquely identifying a consumer.
On or before September 1, 2023, this bill would require a private entity in possession of biometric information, as defined, to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information, as prescribed. The bill would require a private entity to comply with that retention schedule and those guidelines. The bill would, among other things, prohibit a private entity from disclosing biometric information unless certain criteria are met, including the disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subject’s legally authorized representative. The bill would prohibit a private entity from conditioning the provision of a service on the collection, use,
disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service. The bill would authorize a person to bring a civil action against a private entity for violation of these provisions and to obtain certain relief, including the greater of statutory damages in an amount not less than $100 and not greater than $1,000 per violation per day or actual damages.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, immediately following Section 1798.202, to read:TITLE 1.81.7. Biometric Information
1798.300.
As used in this title:(a) (1) “Biometric information” means the data of an individual generated by automatic measurements of an individual’s unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individual’s identity.
(2) “Biometric information” does not include any of the following:
(A) A writing sample or written signature.
(B) A
photograph or video.
(C) A human biological sample used for valid scientific testing or screening.
(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.
(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.
(F) Information captured from a patient in a health care setting.
by a provider of health care, as defined in subdivision (m) of Section 56.05, including physicians and surgeons licensed by the Medical Board of California, for the purpose of health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 or the California Confidentiality of Medical Information Act.
(G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography.
(b) “Business purpose” has the same meaning as that term is defined in Section 1798.140.
(c) (1) “Private entity” means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.
(2) “Private entity” does not include a federal, state, or local government agency or an academic institution.
(d) “Written release” means either of the following:
(1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given.
(2) In the context of employment, a release
executed by an employee as a condition of employment.
1798.301.
(a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is
satisfied.
(2) One year after the individual’s last intentional interaction with the private entity.
(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individual’s representative.
(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).
(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.
(d) This section shall not apply to any disclosures made to a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the subject’s biometric information is disclosed to a public or private nonprofit secondary educational institution for the purpose of scientific research or educational activities, as described in paragraph (4) of subdivision (c) of Section 56.184.
1798.302.
(a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a person’s biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:
(A) To provide a service requested or authorized by the subject of the biometric information.
(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.
(2) The private
entity first does both of the following:
(A) Informs the person or the person’s legally authorized representative, in writing, of both of the following:
(i) The biometric information being collected, stored, or used.
(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.
(B) Receives a written release executed by the subject of the biometric information or by the subject’s legally authorized representative.
(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or
otherwise combined with, another consent- or permission-seeking instrument or function.
(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.
(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minor’s parent or guardian.
1798.303.
A private entity shall not sell, lease, trade, or otherwise profit from the disclosure of a person’s biometric information or use for advertising purposes a person’s biometric information.1798.304.
A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subject’s legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:
(1) The data that will be disclosed.
(2) The reason for the disclosure.
(3) The recipients of the biometric information.
(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subject’s legally authorized representative.
(c) The disclosure meets either of the following criteria:
(1) It is required by law.
(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
1798.305.
A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entity’s industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306.
An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:
(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.
(2) Actual damages.
(b) Punitive damages.
(c) Reasonable attorney’s
fees and litigation costs.
(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.
1798.307.
This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.
(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
1798.308.
(a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.(b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individual’s rights under this title.
