Staying in Compliance with CCPA and BIPA for Video Security

CCPA (California Consumer Privacy Act) and BIPA (Biometric Information Privacy Act) are two recent laws (BIPA actually goes back to 2008) that put restrictions on what type of consumer information a company can collect.

In this article, we’ll give some background on each law, how to be compliant, and then discuss how they relate to companies that want to use security cameras at their office locations within California or Illinois.

CCPA Overview

CCPA is one of the latest consumer privacy laws that has recently been passed and shares many similarities to the EU’s GDPR. It was passed in 2018 and officially went into effect on January 1st, 2020, although California won’t start enforcing (imposing fines) the law until July 1st, 2020.

In simple terms, companies must notify users if they intend to monetize their data and also give consumers (California residents) the right to opt out of that monetization. Below are the basic intentions of the act for consumers.

1. Know what personal data is being collected about them
2. Know whether their personal data is sold or disclosed and to whom
3. Say no to the sale of personal data
4. Access their personal data
5. Request a business to delete any personal data
6. Not be discriminated against for exercising their privacy rights

This law generally applies to any company that exceeds one of the below thresholds:

• Annual gross revenues over $25M
• Annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices OR derive 50 percent or more of its annual revenues from selling consumers’ personal information.

Starting in July 2020, violations can start being assessed with fines.

CCPA and Video Security

So how does CCPA relate to video surveillance tools? While a vendor like Rhombus might not be the intended target of CCPA, many of our customers fall under its regulations which means our solution would fall under the regulations as well.

The most applicable part of CCPA with regards to video security is generally anything to do with facial recognition. Facial recognition is considered personal data and in order to make sure our customers stay compliant with CCPA, we will be giving them tools to handle consumer requests before July 1st, 2020.

These tools will include the ability to give a full report on all data our system has about the consumer that has requested their information. It will also give customers the ability to “forget” a specific person in the case that someone asks to delete all information about them. This “forget” ability will delete all associated face images and identifiers.

We will also give our customers data broker agreements so they can see exactly how we handle customer data and know exactly the steps they have to take with us in order to stay compliant with CCPA and their consumers.

Our team is constantly staying on top of the laws so that as they become further defined, we will continue to do everything we necessary to ensure our customers stay compliant to these regulations.

BIPA Overview

BIPA pertains to Illinois and applies to companies that collect and store biometric information (including fingerprints, voiceprints, and scans of the hand or face geometry). The requirements for those companies include:

• Obtain consent from individuals if the company intends to collect or disclose their personal biometric identifiers
• Destroy biometric identifiers in a timely manner
• Securely store biometric identifiers

BIPA applies to all “private entities” defined to include individuals, partnership, corporation, limited liability company, or other group.

BIPA and Video Security

For video security, BIPA really only applies to facial recognition and it’s fairly cut and dry in that respect. If you are going to deploy facial recognition for any purpose, then you need consent from anyone the cameras might identify.

Given the challenges with getting consent from everyone (unless you run some type of locked down facility), it’s usually a best practice to not deploy facial recognition in Illinois due to BIPA.

Within Rhombus, it’s a simple setting to enable or disable facial recognition for a specific camera.

Conclusion

If you’re a company with a presence in California or Illinois and want to use video security, then it’s important to choose a video security vendor that will help you fully comply with CCPA and/or BIPA to reduce any potential liability exposure. You will want to choose a vendor that understands these regulations and provides you with the necessary tools to be compliant with these regulations. If you have any questions or would like to learn more about ensuring CCPA and BIPA compliance with video security, please reach out to sales@rhombussystems.com