CCPA: California Legislature Passes Amendments To Data Breach Notification And Information Security Statutes

Husch Blackwell LLP

Key Point: If signed by the Governor, the legislation will expand the types of personal information covered by the CCPA’s provision authorizing private litigants to seek statutory damages of between $100 and $750, per consumer per incident, for data breaches.

On September 6, the California legislature passed amendments to the state’s data breach notification statutes (Cal. Civ. Code §§ 1798.29 & 1798.82) and information security statute (Cal. Civ. Code § 1798.81.5). The bill was enrolled and presented to the Governor on September 11.

If signed by the Governor, the legislation will expand the types of personal information that are covered under those statutes to include (1) tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of a specific individual and (2) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless stored for facial recognition purposes.

This is the first CCPA-related bill to pass the California legislature prior to the September 13 deadline.  Husch Blackwell will be hosting a webinar on September 16 to analyze what bills did and did not pass. For more information, click here.

The passage of this legislation implicates the CCPA through § 1798.150 of the CCPA, which provides that any “consumer whose nonencrypted or nonredacted personal information, as defined in [Cal Civ. Code § 1798.81.5(d)(1)(A)], is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” to recover damages of between $100 and $750 per consumer per incident. By expanding the types of personal information included in Cal Civ. Code § 1798.81.5(d)(1)(A), the legislation expands the types of personal information subject to the CCPA’s statutory penalties.

It goes without saying that businesses that are operating in California and collecting these additional types of personal information should take steps to ensure that they are properly protected, including the use of encryption and redaction.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Husch Blackwell LLP | Attorney Advertising

Written by:

Husch Blackwell LLP

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.