California’s privacy laws are getting tougher, but not Chicago tough… yet

The type of biometric privacy lawsuit filed last month against a Hilton Hotel in Chicago (Case 2019CH09270) is a harbinger of privacy litigation to come -- but a very similar case won't come soon to California, where the recently minted California Consumer Protection Act (CCPA) excludes employees like the plaintiff against Hilton.

The CCPA, which goes into effect Jan. 1, is mostly for businesses and consumers. But it does apply to biometric data such as the fingerprints of Taylor Booker, a housekeeper who, after working for a month at a Hilton Doubletree Hotel, complained that the requirement to scan her fingerprint as a time-tracking authentication method violated the state of Illinois' Biometric Information Privacy Act because it unlawfully collected, used and stored her and other workers' "sensitive and proprietary" biometric data as a condition of employment without ever obtaining their informed consent.

"Unlike ID badges or time cards -- which can be changed or replaced if stolen or compromised -- fingerprints are unique, permanent biometric identifiers associated with each employee," says the lawsuit, filed Aug. 12. "This exposes defendants' employees to serious and irreversible privacy risks."

All 50 states have enacted legislation to protect consumers' private information, but some states have more stringent laws and penalties than others. To date, only three states, Illinois, Texas and Washington, have laws addressing the use and collection of biometric data that applies to employees. The CCPA does address biometric data, but only applies to consumers.

Since the passage of the Illinois law, the states of Texas and Washington have followed up with their own versions of the legislation. However, under the Illinois Biometric Information Privacy Act, enacted in 2008, individuals are allowed to file lawsuits over alleged violations.

If said violation is shown to be intentional or reckless, the liable party can be fined as much as $5,000 for each violation. Furthermore, a plaintiff is not required to prove that they suffered actual damages -- only that the defendant violated the law by illegally storing and sharing the personal biometric data in question.

A number of other companies besides Hilton have been hit with class action lawsuits over alleged violations of BIPA, including Walmart and Google.

But the privacy litigation in Illinois has been particularly robust. Last month, the 9th U.S. Circuit Court of Appeals affirmed the district court's order certifying a class of Facebook users who allege that Facebook's "tag suggestions" feature violated their rights under Illinois's BIPA.

In California, there are a number of terms defined in the legislation in order to clarify the parameters of the law. Certain businesses and all California consumers are the two groups who fall under the provisions in the bill, defined as:

"Consumer": According to the act, "'Consumer' means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations...";

"Business": This term has a lengthy definition in the bill, which describes many typical business models and types. Three key articles to pay attention to include:

• For-profit entities that do business in California and collect consumers' personal information;

• Has annual gross revenues over $25 million; and,

• Derives 50% or more of annual revenues from selling consumers' personal information."

While the above definitions appear to make clear that collection of employee biometric data is not covered by the CCPA, California businesses should still be wary. The author of the CCPA, Assemblymember Ed Chau, introduced AB 25 this year, which attempted to make certain that the CCPA does not cover employees of businesses.

However, a coalition opposed AB 25, expressing concern that the exemptions would go too far in eroding the rights of employees who are also consumers, and fought the bill in the Senate Judiciary Committee. Assemblymember Chau agreed to amend the law to clarify that employers subject to the CCPA would still be required to inform employees who are also consumers of what categories of personal information they collect and the purposes for which such personal information shall be used.

In addition, Assemblyman Chau also agreed to look at this issue further in the future. The State Assembly and Senate passed the law on Friday (Sept. 13). If the governor signs AB 25 into law, the exemption for employee data would only be effective for the 2020 calendar year and would be inoperative on or after Jan. 1, 2021.

While the CCPA is therefore unlikely to extend privacy rights to employees over biometric data in 2020, California is likely to revisit this issue. Employers that currently use employee biometric data should therefore anticipate issues now by ensuring that such data is securely stored and encrypted. Employers should also take steps to notify their employees that they are collecting this information and will limit its use to a narrow employer purpose. Employers that take these steps will find themselves well positioned to respond to changes in the law in the future. 