With all eyes on amendments to the California Consumer Privacy Act of 2018 (CCPA) as the state’s 2019 legislative session drew to a close, the enactment of two additional privacy bills on October 11, 2019 — the same day Governor Gavin Newsom signed five CCPA amendment bills into law — went largely overlooked. However, companies doing business in California should take note of the additional requirements that these laws will impose when they take effect on January 1, 2020. These include expanding the categories of personal information (PI) that trigger California’s breach notification obligations following certain data security incidents, and requiring so-called “data brokers” to register annually with the California Attorney General (AG).
The bills that Governor Newsom signed into law include:
A.B. 1130. California’s current breach notification law requires businesses that conduct business in California and that own or license computerized data that includes PI to notify California residents whose PI was, or is reasonably believed to have been, subject to an unauthorized acquisition that compromises the security, confidentiality, or integrity of the PI. The law currently defines PI to include:
- An individual’s (a) first name or first initial and last name (b) in combination with his or her: Social Security number; driver’s license number or California identification card number; account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; medical information; health insurance information; or information or data collected through an automated license plate recognition system; and
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
When A.B. 1130 becomes operative, the definition of PI will be amended — and, thus, notice triggers expanded — to include:
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes; and
- Tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on government documents that are commonly used to verify a specific individual’s identity.
The expanded definition of PI under California’s breach notification law impacts the CCPA as well, since, under the CCPA, California residents may institute a civil action if their nonencrypted and nonredacted PI — as defined under California’s breach notification law — is subject to a certain type of security breach. As a result, the broader definition of PI in AB 1130 expands the types of situations in which California residents can exercise their private right of action under the CCPA.
California’s current breach notification law also specifies the minimum required contents of a breach notification, including, among other information: a list of the types of PI that were or are reasonably believed to have been the subject of the breach; and, if it is possible to determine such information at the time notice is provided, the date (or estimated date) and a general description of the breach. The notice may also includeinformation about what the business has done to protect individuals whose PI has been breached and advice on steps that such individuals may take to protect themselves.
When A.B. 1130 becomes operative, the latter, optional contents of a breach notification will be expanded to include, in breaches involving biometric data, instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on such data for authentication purposes.
A.B. 1202. The law will require a data broker — a business that knowingly collects and sells to third parties the PI of a consumer with whom it does not have a direct relationship — to register with the California AG on or before January 31 following each year in which it meets this definition. The law will also require the California AG to create a page on its website whereby the contents of data brokers’ registrations will be accessible to the public.
Notably, the law’s key terms — including “business,” “consumer,” “personal information,” “sell,” and “third party” — use the corresponding definitions in the CCPA, and the following entities are specifically carved out of the definition of a data broker (and thereby excluded from the registration requirement): consumer reporting agencies, to the extent they are covered by the Fair Credit Reporting Act; financial institutions, to the extent they are covered by the Gramm-Leach-Bliley Act; and entities, to the extent they are covered by the Insurance Information and Privacy Protection Act.
The required registration must include the data broker’s name and primary physical, email, and website addresses, as well as any optional information that it wishes to provide regarding its data collection practices. Data brokers must also pay an annual fee in an amount to be determined by the AG. The AG has exclusive enforcement authority, and penalties for noncompliance may include: civil penalties of $100 for each day that the data broker fails to register; the fees that were due during such period; and/or expenses the AG incurred in its investigation and prosecution of the action.