Quantity Over Quality? CCPA Expands Definition of Personal Biometric Information but Limits Civil Recovery in Many Instances

Written By: Julia Aguilar

On January 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) took effect. Created as a resource to offer “consumers more control over the personal information collected about them,” the CCPA was partly introduced in an effort by the California legislature to compete with privacy protections offered in other states.[1] Prior to 2020, biometric data laws were limited to a handful of states including Arkansas, Illinois, Louisiana, Texas, and Washington, offering citizens privacy protection from businesses that had access to their data.[2] Biometrics are “unique physical characteristics, such as fingerprints, that can be used for automated recognition.”[3]

The CCPA requires businesses to give consumers notice of the personal information they retain in their files, and the option to consent or request deletion of that information.[4] Additionally, it includes unauthorized storage of browsing and search history in its list of actionable offenses.[5] When a consumer is harmed following a breach of their personal data, however, their remedies are often limited under the act, which begs the question, how much protection does the CCPA actually offer consumers?

For instance, the social-media giant Facebook settled a class-action lawsuit just last month for $650 million brought by Illinois residents under the Illinois Biometric Information Privacy Act (“BIPA”).[6] The complaint alleged that Facebook created and stored users’ face templates without prior notification and written consent following the law’s enactment in 2008, which allows for a private right of action.[7] California District Judge James Donato, who approved the settlement payout of $350 to each class member on January 14, 2021, stated, “[t]his is money that’s coming directly out of Facebook’s own pocket. . . . The violations here did not extract a penny from the pockets of the victims. But this is real money that Facebook is paying to compensate them for the tangible privacy harms that they suffered.”[8]

For a similar breach under the CCPA, however, the California Attorney General’s own webpage admits that “[y]ou cannot sue businesses for most CCPA violations.”[9] In fact, “[y]ou can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances.”[10] You may be able to sue if your personal information was stolen as a result of a business’ data breach, following their negligence.[11] However, if you are able to sue for statutory damages, “if the business is able to cure the violation and gives you its written statement that it has done so” then your ability to sue is null unless the business continues its unlawful conduct.[12]

If damages serve the function of deterring unlawful behavior, then how effective can laws such as the CCPA be, when tech companies have more than enough money to throw away on costly litigation? Compared to the CCPA, the BIPA cracks the whip on companies, like Facebook, in a much more palpable manner. By granting injured litigants a direct path to these business’ wallets, such verdicts send a resounding message discouraging data collection in a privacy war that has only just begun.


[1] California Consumer Privacy Act (CCPA), State of Cal. Dep’t of Just. Off. of the Att’y Gen. (Feb. 13, 2021, 1:00PM), https://oag.ca.gov/privacy/ccpa [https://perma.cc/3DWC-655Z].

[2] Seyfarth Shaw, LLP, The Growing Number of Biometric Privacy Laws and the Post-COVID Consumer Class Action Risks for Businesses, Jdsupra (June 11, 2020), https://www.jdsupra.com/legalnews/the-growing-number-of-biometric-privacy-62648/ [https://perma.cc/9QQA-ULSQ].

[3] Biometrics, U.S. Dep’t of Homeland Sec. (July 13, 2020), https://www.dhs.gov/biometrics [https://perma.cc/W3DN-SUXH].

[4] Seyfarth Shaw, LLP, supra note 2.

[5] Id.

[6] Robert Channick, Nearly 1.6 Million Illinois Facebook Users to Get About $350 Each in Privacy Settlement, Chicago Tribune (Jan. 14, 2021, 8:04PM), https://www.chicagotribune.com/business/ct-biz-facebook-privacy-settlement-illinois-20210115-2gau5ijyjff4xd2wfiiow7yl4m-story.html [https://perma.cc/C9FN-U8YE].

[7] Meg Graham, Illinois Biometrics Lawsuits May Help Define Rules for Facebook, Google, Chicago Tribune (Jan. 17, 2017, 9:00AM), https://www.chicagotribune.com/business/blue-sky/ct-biometric-illinois-privacy-whats-next-bsi-20170113-story.html [https://perma.cc/27PN-Y5XU].

[8] Channick, supra note 5..

[9] California Consumer Privacy Act (CCPA), State of Cal. Dep’t of Just. Off. of the Att’y Gen. (Feb. 13, 2021, 1:00pm).

[10] Id.

[11] Id.

[12] Id.








Leave a Reply

Your email address will not be published. Required fields are marked *