Legislative Alert: California Expands Definition of Personal Information
By: Edwin Jones
On October 11, 2019, California Governor Gavin Newsom signed into law Assembly Bill 1130, which amends The Information Practices Act of 1977, as well as California Civil Code §§ 1798.29, 1798.81.5 and 1798.82.
The bill expands the definition of “personal information” under the California data breach notification statutes applicable to businesses and to government agencies (Cal. Civ. Code §§ 1798.29, 1798.82), as well as the California information security standards statute, which requires businesses to implement and maintain reasonable security measures to protect personal information (Cal. Civ Code § 1798.81.5).
“Personal information” previously included (when combined with an individual’s name) a Social Security number, driver’s license number, California identification card number, financial account number with means to access the account, medical information, health insurance information, username or email with password (individual’s name not necessary), and information collected by automated license plate recognition systems.
Following the passage of AB 1130, “personal information” now also includes the following data elements:
- Tax identification numbers;
- Passport numbers;
- Military identification numbers;
- Unique identification numbers issued on a government document commonly used to verify the identity of a specific individual; and
- Unique biometric data such as a fingerprint, retina, or iris image that is generated from measurements or technical analysis of human body characteristics for the purpose of authenticating a specific individual. Biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
For a breach involving biometric data, AB 1130 also requires that notification to consumers must include instructions on how to notify other entities that may have used the same biometric data to no longer rely on that data for authentication purposes.
The law takes effect on January 1, 2020, in conjunction with the California Consumer Privacy Act of 2018, which creates a private right of action for consumers whose personal information was subject to unauthorized access, exfiltration, or theft as a result of a covered business’ failure to implement and maintain reasonable security procedures and practices to protect that information as required by Section 1798.81.5.