California Biometric Privacy Laws: Collection, Consent & Penalties (2026)

California does not have a standalone biometric privacy statute like Illinois's BIPA. Instead, the state folds biometric data into its comprehensive consumer privacy framework under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). For anyone collecting fingerprints, facial scans, or voiceprints in California, the rules are embedded throughout the California Data Privacy Laws ecosystem.

This means biometric protections in California come from multiple overlapping sources: CCPA/CPRA consumer rights, breach notification statutes, labor code restrictions, and new CPPA regulations on automated decisionmaking. Here is what you need to know.

How California Defines Biometric Information

The CCPA defines "biometric information" under Cal. Civ. Code 1798.140(c) as:

An individual's physiological, biological, or behavioral characteristics, including DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.

The statute lists specific examples:

• Fingerprint, face, hand, palm, and vein pattern imagery
• Iris and retina scans
• Voice recordings from which identifiers can be extracted
• Keystroke patterns or rhythms
• Gait patterns or rhythms
• Sleep, health, or exercise data containing identifying information

Biometric information is also classified as a type of "personal information" under Section 1798.140(o)(1)(E).

Sensitive Personal Information Classification

Under the CPRA amendments, biometric information processed for the purpose of uniquely identifying a consumer qualifies as "sensitive personal information" under Section 1798.140(ae). This elevated classification triggers stronger protections than regular personal information.

One important distinction: photographs alone are not biometric information under the CCPA. However, photographs used or stored for facial recognition purposes do qualify.

Consumer Rights Over Biometric Data

Because biometric data is sensitive personal information, California consumers have several specific rights under the CCPA/CPRA:

Right to Limit Use and Disclosure. Consumers can direct businesses to limit the use of their biometric data to what is "necessary to perform the services or provide the goods reasonably expected by an average consumer." Businesses must provide a "Limit the Use of My Sensitive Personal Information" link on their websites.

Right to Know. Consumers can request that a business disclose what biometric information it has collected, the sources it collected from, the business purpose for collecting it, and the categories of third parties it has been shared with.

Right to Delete. Consumers can request deletion of their biometric data. Businesses must comply and direct service providers to delete the data as well.

Right to Correct. If biometric data is inaccurate, consumers can request correction.

Right to Opt Out of Sale or Sharing. Consumers can opt out of the sale or sharing of their biometric information with third parties.

No Retaliation. Businesses cannot discriminate against consumers who exercise these rights by denying goods, charging different prices, or providing a different quality of service.

Private Right of Action for Biometric Data Breaches

Cal. Civ. Code 1798.150 gives consumers the right to sue when their unencrypted personal information is exposed through a data breach caused by a business's failure to maintain reasonable security. This is one of the few areas where California law allows private lawsuits rather than relying solely on agency enforcement.

"Personal information" in the breach context includes a person's name combined with "unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual."

What Consumers Can Recover

• Statutory damages: $100 to $750 per consumer per incident
• Actual damages if greater than statutory damages
• Injunctive or declaratory relief
• Any other relief the court deems proper

Requirements Before Filing Suit

Consumers must provide the business 30 days' written notice identifying the specific violations before filing a statutory damages claim. If the business cures the violation within 30 days and provides a written statement confirming the fix, statutory damages cannot be pursued. Actual damages claims do not require prior notice.

This private right of action applies only to data breach scenarios. For other CCPA violations involving biometric data, enforcement runs through the Attorney General and CPPA.

Breach Notification Requirements

California's breach notification statutes, Cal. Civ. Code 1798.29 (government agencies) and 1798.82 (businesses), require notification when unencrypted biometric data is compromised. Learn more in our California Data Breach Notification Laws guide.

Key requirements for biometric data breaches include:

• Timeline: Notification must occur within 30 calendar days of discovering the breach
• Attorney General notice: Required when more than 500 California residents are affected
• Special biometric instructions: Breach notices involving biometric data must include instructions on how to notify other entities that used the same biometric data for authentication, so those entities can stop relying on the compromised data
• Required content: Notices must follow a prescribed format with headings including "What Happened," "What Information Was Involved," "What We Are Doing," "What You Can Do," and "For More Information"

Employer Obligations for Biometric Data

California employers face specific biometric data requirements from multiple sources.

CCPA/CPRA Employee Coverage

The employee personal information exemption under the CCPA expired on January 1, 2023. Since then, California employees have the same rights as consumers regarding their biometric data. Employers that collect fingerprints for time clocks, facial scans for building access, or other biometric identifiers must:

• Provide notice at or before the point of biometric data collection
• Honor employee requests to know, delete, correct, and limit the use of biometric data
• Allow employees to limit the use of biometric data to what is necessary for the employment relationship
• Maintain reasonable security procedures to protect biometric data

California Labor Code Section 1051

California Labor Code 1051 adds another layer. It prohibits employers from sharing employee fingerprints or photographs with third parties when the information could be used to the employee's detriment. Violation is a misdemeanor.

This means employers can collect fingerprints for internal purposes like timekeeping but cannot share that data with outside parties who might use it against the employee.

Enforcement and Penalties

Two agencies share enforcement authority over biometric data violations in California.

California Privacy Protection Agency (CPPA)

The CPPA was created by the CPRA in 2020 and has primary enforcement authority. As of 2025, the CPPA can impose:

• $2,663 per unintentional violation (adjusted annually for inflation)
• $7,988 per intentional violation
• $7,988 per violation involving a minor's data

The CPPA has been active. In 2025 alone, it issued a $632,500 fine against Honda, a $345,178 fine against Todd Snyder, and launched a Data Broker Enforcement Strike Force. While none of these actions specifically targeted biometric data misuse, they demonstrate the agency's willingness to pursue meaningful penalties.

Attorney General

The California Attorney General retains concurrent enforcement authority under Cal. Civ. Code 1798.199.90. The AG can bring civil actions for CCPA violations, including those involving biometric data.

New CPPA Regulations Effective 2026

The CPPA finalized new regulations on September 22, 2025, effective January 1, 2026, covering automated decisionmaking technology (ADMT), risk assessments, and cybersecurity audits. These regulations have direct implications for biometric data:

Automated Decisionmaking Technology. Businesses that use ADMT to process biometric information for profiling or identity verification must comply with new requirements starting January 1, 2027. This includes providing pre-use notices, offering opt-out options, and conducting accuracy evaluations and nondiscrimination audits.

Risk Assessments. Processing biometric data for profiling or identity verification qualifies as "significant risk" processing. Businesses engaged in such processing must complete risk assessments and submit attestations to the CPPA by April 1, 2028.

Cybersecurity Audits. Businesses that process sensitive personal information, including biometric data, at scale may need to conduct annual cybersecurity audits. Deadlines are tiered by revenue, with the largest companies (over $100 million) required to submit certifications by April 1, 2028.

Recent Legislative Expansions

California continues to expand the scope of biometric-adjacent protections through new legislation.

SB 1223: Neural Data Protection (Effective January 1, 2025)

SB 1223 added "neural data" to the definition of sensitive personal information under Section 1798.140(ae). Neural data means information generated by measuring the activity of a consumer's central or peripheral nervous system, and that is not inferred from non-neural information.

This gives brainwave data from EEG headsets, neurofeedback devices, and brain-computer interfaces the same level of protection as fingerprints and facial scans. California became the first state to explicitly protect neural data under a consumer privacy law.

AB 1008: AI Model Coverage (Effective January 1, 2025)

AB 1008 clarified that biometric data collected without a consumer's knowledge can never be considered "publicly available" information, regardless of context. The bill also expanded the definition of "personal information" to cover abstract digital formats, including AI model weights and tokens derived from a consumer's personal data.

For biometric data specifically, this means a facial recognition model trained on a consumer's face images without their knowledge cannot claim that data was "publicly available" and therefore exempt from CCPA requirements.

How California Compares to Illinois BIPA

California's approach differs significantly from Illinois's Biometric Information Privacy Act (BIPA), which is the most aggressive standalone biometric privacy law in the country.

Feature	California (CCPA/CPRA)	Illinois (BIPA)
Law Type	Comprehensive privacy law	Standalone biometric statute
Consent Required	Notice + right to limit use	Written informed consent before collection
Private Right of Action	Data breaches only (1798.150)	Any violation of the statute
Damages	$100-$750 per breach incident	$1,000-$5,000 per violation
Retention/Destruction	General deletion rights	Mandatory written retention policy
Enforcement	CPPA + AG + limited private action	Private lawsuits + AG

California provides broader coverage since biometric protections are part of a comprehensive data privacy framework. However, the private right of action is far more limited than Illinois, where individual plaintiffs have driven billions of dollars in settlements.

More California Laws

• California Recording Laws
• California Data Privacy Laws
• California Data Privacy Laws
• California Data Privacy Laws
• California Data Privacy Laws
• California Data Privacy Laws
• California Recording Laws
• California Statute of Limitations

Sources and References

This article references California statutes, regulatory materials, and official agency publications. For the full text of the CCPA/CPRA, visit the California Legislative Information website. For current CPPA enforcement activity and rulemaking, visit cppa.ca.gov.

This article provides general legal information about California biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official California government sources.