The type of biometric privacy lawsuit filed last month against a Hilton Hotel in Chicago is a harbinger of privacy litigation to come—but a very similar case is not likely to come soon to California, where the recently minted California Consumer Protection Act (CCPA) excludes employees like the plaintiff against Hilton.
The CCPA, which goes into effect Jan. 1, is mostly for businesses and consumers. But it does apply to biometric data such as the fingerprints of Taylor Booker, a housekeeper who, after one month of employment for a Hilton Doubletree Hotel, complained that the requirement to scan her fingerprint as a time-tracking authentication method violated the state of Illinois’ Biometric Information Privacy Act because it unlawfully collected, used and stored her and other workers’ “sensitive and proprietary” biometric data as a condition of employment without ever obtaining their informed consent.
"Unlike ID badges or time cards — which can be changed or replaced if stolen or compromised — fingerprints are unique, permanent biometric identifiers associated with each employee,” says the lawsuit, filed Aug. 12. “This exposes defendants' employees to serious and irreversible privacy risks.”
All 50 states have enacted legislation to protect consumers’ private information, but some states have more stringent laws and penalties than others. To date, only three states, Illinois, Texas and Washington, have laws addressing the use and collection of biometric data that applies to employees. The CCPA does address biometric data, but only applies to consumers.
In California, there are a number of terms defined in the legislation in order to clarify the parameters of the law. Certain businesses and all California consumers are the two groups who fall under the provisions in the bill, defined as:
According to the Act, “‘Consumer’ means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations…”;
This term has a lengthy definition in the bill, which describes many typical business models and types. Three key articles to pay attention to include:
- For-profit entities that do business in California and collect consumers’ personal information;
- Has annual gross revenues over $25 million; and,
- Derives 50% or more of annual revenues from selling consumers’ personal information.”
While the above definitions appear to make clear that collection of employee biometric data is not covered by the CCPA, California businesses should still be wary. The author of the CCPA, Assemblymember Ed Chau, introduced AB 25 this year, which attempted to make certain that the CCPA does not cover employees of businesses.
However, a coalition opposed AB 25, expressing concern that the exemptions would go too far in eroding the rights of employees who are also consumers, and fought the bill in the Senate Judiciary Committee. Assemblymember Chau agreed to amend the law to clarify that employers subject to the CCPA would still be required to inform employees who are also consumers of what categories of personal information they collect and the purposes for which such personal information shall be used.
In addition, Assemblymember Chau also agreed to look at this issue further in the future. Therefore, if AB 25 is signed into law, the exemption for employee data would only be effective for the 2020 calendar year and would be inoperative on or after January 1, 2021.
While the CCPA is therefore unlikely to extend privacy rights to employees over biometric data in 2020, California is likely to revisit this issue. Employers that currently use employee biometric data should therefore anticipate issues now by ensuring that such data is securely stored and encrypted. Employers should also take steps to notify their employees that they are collecting this information and will limit its use to a narrow employer purpose. Employers that take these steps will find themselves well positioned to respond to changes in the law in the future.