State flag of California

Although California does not have a specific biometric privacy law like Illinois’s 2008 Biometric Information Privacy Act (BIPA) or its recently enacted 2019 Artificial Intelligence Video Interview Act (AIVIA), stay tuned for the impact of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020.  The CCPA will directly affect how certain employers use biometric data in the workplace.

As drafted, the CCPA will require that businesses provide individuals with notice of the personal data being collected about them; whether it is sold or disclosed and to whom; and the ability to opt out, access collected personal data, and request deletion. The law will apply to companies doing business in California with more than $25 million in gross revenues or that possess or sell significant amounts of personal information.

Because the CCPA was so broad when enacted, amendments to its provisions were anticipated nearly immediately. Among those amendments is Assembly Bill (AB) 25, which would limit employer obligations under the CCPA.  The amendment seeks to limit the definition of “consumer” to exclude applicants, employees, contractors, or agents of a business. Employment-related collection of data about these groups of individuals would not be subject to the consent and deletion requirements of the CCPA. Employers subject to the CCPA would still be required to provide notice to individuals of the categories of personal information collected and the intended use.

Because the CCPA treats biometric information (including facial recognition data) like other personal information, it appears likely that employers using biometrics in the workplace—including, for example, biometric security and video recruitment tools—will be required to inform employees that such technology is in use and disclose the purposes for any data collected. It remains to be seen, however, whether employers may also be required to obtain consent, as is required under the BIPA and AIVIA. Stay tuned.


Browse More Insights

Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now