Key Point: If signed by the Governor, the legislation will expand the types of personal information covered by the CCPA’s provision authorizing private litigants to seek statutory damages of between $100 and $750, per consumer per incident, for data breaches.

On September 6, the California legislature passed amendments to the state’s data breach notification statutes (Cal. Civ. Code §§ 1798.29 & 1798.82) and information security statute (Cal. Civ. Code § 1798.81.5). The bill was enrolled and presented to the Governor on September 11.

If signed by the Governor, the legislation will expand the types of personal information that are covered under those statutes to include (1) tax identification numbers, passport numbers, military identification numbers, or other unique identification numbers issued on a government document commonly used to verify the identity of a specific individual and (2) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless stored for facial recognition purposes.

This is the first CCPA-related bill to pass the California legislature prior to the September 13 deadline.  Husch Blackwell will be hosting a webinar on September 16 to analyze what bills did and did not pass. For more information, click here.

The passage of this legislation implicates the CCPA through § 1798.150 of the CCPA, which provides that any “consumer whose nonencrypted or nonredacted personal information, as defined in [Cal Civ. Code § 1798.81.5(d)(1)(A)], is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” to recover damages of between $100 and $750 per consumer per incident. By expanding the types of personal information included in Cal Civ. Code § 1798.81.5(d)(1)(A), the legislation expands the types of personal information subject to the CCPA’s statutory penalties.

It goes without saying that businesses that are operating in California and collecting these additional types of personal information should take steps to ensure that they are properly protected, including the use of encryption and redaction.