TITLE 1.81.7. Biometric Information
1798.300.
As used in this title:(a) (1) “Biometric information” means the data of an individual generated by automatic measurements of an individual’s unique biological or behavioral characteristics, including a faceprint, fingerprint, voiceprint, retina or iris image, or any other biological characteristic that can be used to authenticate the individual’s identity.
(2) “Biometric information” does not include any of the following:
(A) A writing sample or written signature.
(B) A
photograph or video.
(C) A human biological sample used for valid scientific testing or screening.
(D) A physical description, including height, weight, hair color, eye color, or a tattoo description.
(E) A donated portion of a human body stored on behalf of a recipient or potential recipient of a living or cadaveric transplant and obtained or stored by a federally designated organ procurement agency, including an organ, tissue, eye, bone, artery, blood, or any other fluid or serum.
(F) Information captured from a patient in a health care setting.
by a provider of health care, as defined in subdivision (m) of Section 56.05, including physicians and surgeons licensed by the Medical Board of California, for the purpose of health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 or the California Confidentiality of Medical Information Act.
(G) An image or film of the human anatomy used to diagnose, provide a prognosis for, or treat an illness or other medical condition or to further validate scientific testing or screening, including an x-ray, roentgen process, computed tomography, magnetic resonance image, positron emission tomography scan, or mammography.
(b) “Business purpose” has the same meaning as that term is defined in Section 1798.140.
(c) (1) “Private entity” means an individual, partnership, corporation, limited liability company, association, or similar group, however organized.
(2) “Private entity” does not include a federal, state, or local government agency or an academic institution.
(d) “Written release” means either of the following:
(1) Specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time the consent is given.
(2) In the context of employment, a release
executed by an employee as a condition of employment.
1798.301.
(a) On or before September 1, 2023, a private entity in possession of biometric information shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying the biometric information on or before the earliest of the following:(1) The date on which the initial purpose for collecting or obtaining the biometric information is
satisfied.
(2) One year after the individual’s last intentional interaction with the private entity.
(3) Notwithstanding Section 1798.130, within 30 days after the private entity receives a verified request to delete the biometric information submitted by the individual or the individual’s representative.
(b) A private entity in possession of biometric information shall comply with the retention schedule and destruction guidelines established pursuant to subdivision (a).
(c) This section does not apply to biometric information that is the subject of a valid warrant or subpoena issued by a court.
(d) This section shall not apply to any disclosures made to a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the subject’s biometric information is disclosed to a public or private nonprofit secondary educational institution for the purpose of scientific research or educational activities, as described in paragraph (4) of subdivision (c) of Section 56.184.
1798.302.
(a) A private entity shall not collect, capture, purchase, receive through trade, or otherwise obtain a person’s biometric information unless both of the following are true:(1) The private entity requires the biometric information for either of the following purposes:
(A) To provide a service requested or authorized by the subject of the biometric information.
(B) Another valid business purpose specified in the written policy published pursuant to Section 1798.301.
(2) The private
entity first does both of the following:
(A) Informs the person or the person’s legally authorized representative, in writing, of both of the following:
(i) The biometric information being collected, stored, or used.
(ii) The specific purpose and length of time for which the biometric information is being collected, stored, or used.
(B) Receives a written release executed by the subject of the biometric information or by the subject’s legally authorized representative.
(b) (1) A private entity shall not seek the written release described in subdivision (a) through, as a part of, or
otherwise combined with, another consent- or permission-seeking instrument or function.
(2) A private entity shall not combine a written release described in subdivision (a) with an employment contract.
(3) A written release, as described in subdivision (a), from a minor shall not be obtained except through the minor’s parent or guardian.
1798.303.
A private entity shall not sell, lease, trade, or otherwise profit from the disclosure of a person’s biometric information or use for advertising purposes a person’s biometric information.1798.304.
A private entity shall not disclose biometric information unless any of the following are true:(a) The subject of the biometric information, or the subject’s legally authorized representative, provides a written release that authorizes the private entity to disclose the biometric information immediately before the disclosure and includes a description of all of the following:
(1) The data that will be disclosed.
(2) The reason for the disclosure.
(3) The recipients of the biometric information.
(b) The disclosure completes a financial transaction requested or authorized by the subject of the biometric information or the subject’s legally authorized representative.
(c) The disclosure meets either of the following criteria:
(1) It is required by law.
(2) It is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
1798.305.
A private entity shall store, transmit, and protect from disclosure biometric information using the reasonable standard of care within the private entity’s industry and in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.1798.306.
An individual alleging a violation of this title may bring a civil action for any of the following relief:(a) The greater of either of the following:
(1) Statutory damages in an amount not less than one hundred dollars ($100) and not greater than one thousand dollars ($1,000) per violation per day.
(2) Actual damages.
(b) Punitive damages.
(c) Reasonable attorney’s
fees and litigation costs.
(d) Any other relief, including equitable or declaratory relief, that the court determines appropriate.
1798.307.
This title does not do any of the following:(a) Impact the admission or discovery of biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person.
(b) Conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
(c) Conflict with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).
1798.308.
(a) A private entity shall not condition the provision of a service on the collection, use, disclosure, transfer, sale, or processing of biometric information unless biometric information is strictly necessary to provide the service.(b) A private entity shall not charge different prices or rates for goods or services or provide a different level or quality of a good or service to an individual who exercises the individual’s rights under this title.