California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications

California Governor Gov. Gavin Newsom has signed a new bill that updates data breach notification law in California, expanding the definition of personal information requiring notifications in the event of a breach.

Prior to the update, notifications were required if state residents had their Social Security number, driver’s license number, health information, financial information, or username/passwords compromised. The update means that entities that experience a breach that involves passport numbers, tax ID numbers, military ID numbers, other unique government ID numbers, or biometric information will also need to be notified of a data breach.

The law applies to data breaches where personal information has been obtained by an unauthorized person or is reasonably believed to have been obtained by an unauthorized individual.

The bill – AB-1130 – was introduced by California Assemblyman Marc Levine (D) and was co-sponsored by California Attorney General Xavier Bercerra. Governor Newsom signed the bill into law on October 11 and the bill will take effect on January 1, 2020.

Updates Made to California Consumer Privacy Act

Governor Newsom also signed six amendments to the California Consumer Privacy Act (CCPA) into law. CCPA introduced a range of new privacy protections for California residents giving them new rights over the data collected on them by businesses.

CCPA is due to take effect on January 1, 2020, although the new law will not be enforceable until 6 months after the California Attorney General publishes final regulations on CCPA. The first draft of those regulations has now been issued by Attorney General Bercerra.

Public hearing dates have been scheduled between December 2, 2019 and December 6, 2019 and the final set of regulations are due to be released in the spring of 2020. CCPA will become enforceable 6 months after the publication of the implementing regulations or on July 1, 2020, whichever is sooner. However, if the final regulations are published between July 1, 2020 and December 31, 2020, enforcement cannot commence until 6 months after the publication date.

The updates to CCPA that have now been signed into law are:

AB-25 – CCPA no longer includes data collected on job applicants, employees, directors, officers, business owners, medical staff, and contractors for the first year.

AB-874 – Update to “publicly available information” clarifying that the information is lawfully made available from federal, state, or local government records.

AB-1146 – Vehicle information collected under a warranty or recall programs is now exempt from CCPA.

AB-1202 – Data brokers are required to register with the California Attorney General’s office.

AB-1355 – Aggregated consumer data and deidentified data are exempted from the CCPA definition of personal information.

AB-1564 – Businesses are required to provide two methods for consumers to contact them, unless the business only operates online, in which case only an email address needs to be offered.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.