Bills Introduced in California Legislature to Expand Scope of Breach Notification Law and Amend the CCPA
California already has some of the strongest data privacy laws in the United States, but within the past week state legislators, with the backing of the California Attorney General Xavier Becerra, have proposed two new bills that would strengthen California’s data privacy laws even more. One bill (SB 561) would amend key sections of the California Consumer Privacy Act (the “CCPA”), which we have previously blogged about when it was first enacted and when it was subsequently amended, and the other bill (AB 1130) would expand the definition of “personal information” under California’s data breach notification law to include biometric information and government-issued ID numbers (e.g., passport numbers).
California Consumer Privacy Act Amendment
SB 561 (the “CCPA Bill”) would modify some key elements of the CCPA, which was first passed on June 28, 2018 and is slated to become operative on January 1, 2020. The CCPA Bill expands the private right of action under the CCPA and limits two protective measures for companies previously built into the law.
Private Right of Action
The CCPA Bill allows for an expanded private right of action by California citizens under the Act. As the law is currently written, only the California Attorney General can sue for most violations (note: there is a private right of action under Section 1798.150 limited to consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”). Under the currently existing CCPA, a consumer may only bring a private lawsuit if they first provide the business with 30 days written notice identifying the specific provisions of the CCPA that have been violated. If the business cures the breach, the private lawsuit may not be initiated. However, the CCPA Bill would remove this 30-day cure period, as detailed further below.
The CCPA Bill expands Section 1798.150(a)(1) and 1798.150(c) to allow for a private right of action under the CCPA for “any consumer whose rights under this title are violated”, not just violations involving unauthorized access, theft, or disclosure of information. The Attorney General’s goal in this regard are to provide more recourse to consumer’s when the CCPA is violated.
Attorney General Opinions
The CCPA Bill revises the option under Section 1798.155(a) for a business or third party to seek the opinion of the Attorney General for guidance on how to comply with the CCPA. The amendment would strike this option and instead require the Attorney General to publish general public guidance about the law.
30-Day Cure Period
The CCPA Bill also deletes the 30-day cure period currently provided for under the law. Section 1798.155(b) allows businesses in violation of the CCPA 30 days after being notified of alleged noncompliance to cure the alleged violations before a civil action can be commenced. The CCPA Bill would allow for enforcement under the CCPA immediately, without prior notice.
Data Breach Notification Law Amendment
In addition to changes under the CCPA, on February 21, 2019, AB 1130 (the “Notification Bill”) was introduced and would expand California’s definition of “personal information” under its breach notification law to include biometric information and government-issued identification numbers (presumably to include such information as passport numbers, as the law already states that a driver’s license or state ID card number fall under the definition of personal information, when combined with an individual’s name). The bill is seemingly a direct response to the recent breaches which potentially compromised the passport numbers of millions of California residents.
Under California’s data breach notification law, notification obligations are only triggered for breaches involving “personal information,” which is currently defined as a first name or initial and last name in conjunction with a social security number, driver’s license number, California identification card number, account number or financial card number in combination with a password, medical information, health insurance information, or information collected through an automated license plate recognition system.
The Notification Bill proposes to expand the definition of personal information by adding “other government-issued identification numbers[s]” and “[u]nique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, or other unique physical representation or digital representation of biometric data.”
While some other states have expanded the scope of their own breach notification laws in recent years, the Notification Bill is significant because California has long served as a guidepost for other states drafting or amending their own data breach notification laws. Many other states already include government-issued identification numbers and biometric data in their definitions of personal information, but California’s amendment could inspire additional states to expand their laws.
With both proposed bills, it is clear that data privacy remains high on the agenda of California legislators and the Attorney General. We will continue to monitor updates on California privacy laws, particularly as the CCPA effective date gets closer.