The CCPA includes a non-exhaustive list of data types that may fall under the definition of personal information. One of those data types is “biometric information.”1
While the CCPA provides a definition of “biometric information,” it is worth noting that the CCPA’s definition differs from the definition of the term in other statutes and legal systems. The following provides a side-by-side comparison of the definition within the CCPA and the definition within the Illinois Biometric Information Privacy Act (BIPA) – the most litigated state law regulating biometric data. In some ways, the California definition may be broader, as it purports to include such things as “imagery” of an individual’s palm or vein patterns, and voice recordings, so long as an “identifier template” can be created from such data. It also purports to include characteristics such as “keystroke patterns or rhythms” that would rarely be considered “biometric data” by consumers or in other privacy statutes:
CCPA (as amended by CPRA)2 | Illinois Biometric Information Privacy Act (BIPA)3 |
“Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. |
“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers. “Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening. |
1 Cal. Civ. Code § 1798.140(v)(1)(E) (West 2021).
2 Cal. Civ. Code § 1798.140(c) (West 2021).
3 740 Ill. Comp. Stat. 14/10 (2021).