5 California Consumer Privacy Act amendments signed into law
On Friday, October 11, California Gov. Gavin Newsome signed several bills into law that amend the California Consumer Privacy Act (CCPA). We summarized the amendments here. The CCPA amendments that were signed into law include AB25, AB847, AB1146, AB1355, and AB1564.
The California data breach notification law has also been amended, and was signed by Gov. Newsome on October 11. The amendment (AB1130) adds to the definition of “personal information” the following:
- Tax identification number
- Passport number
- Military identification number or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual
In addition, if an incident involving biometric information requires notification under the law, the notice letter to impacted California residents may include instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on data for authentication purposes.
Gov. Newsome also signed AB1202. Under this law, data brokers are required to register with the California attorney general’s office and that office will post information provided by data brokers to its website for public consumption. A “data broker” is a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Credit reporting agencies subject to the federal Fair Credit Reporting Act, financial institutions subject to the Gramm-Leach-Bliley Act, and entities covered by the California Insurance Information and Privacy Protection Act are not “data brokers” under the law and are exempt. Data brokers subject to the law must provide their name and physical address, as well as primary email and internet website addresses, and any information the data broker chooses to provide regarding its data collection practices.