California Amends Data Breach Notification Provisions

California Governor Gavin Newsom recently signed into law a bill, Assembly Bill 1130 (AB 1130), which, in part, expands the types of information covered by California’s data breach notification provisions by revising the definition of “personal information.”  The amendments go into effect on January 1, 2020.

Specifically, AB 1130 expands the definition of “personal information” to cover biometric data and additional government identifiers.  Biometric data includes data generated from measurements or technical analysis of human body characteristics (e.g., fingerprint, retina, or iris images) used to authenticate a specific individual.  Biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes.  The new government identifiers include tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of an individual.

AB 1130 also provides that in breaches involving biometric data, the reporting entity must provide “instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on [that] data for authentication purposes.”