Changes in Other California Privacy and Data Security Laws

Amended Personal Information Definition

Under the CCPA, after satisfying certain procedural requirements, a consumer can bring a civil action in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, regarding their nonencrypted and nonredacted personal information that is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information (note that the foregoing differs from the California breach notification law, including as amended). Cal. Civ. Code section 1798.150.

The above definition of personal information is from the California data security procedures law, which was amended to expand the categories of personal information covered (namely, unique identification number issued on a government document commonly used to verify the identity of a specific individual and unique biometric data) and continues to exclude a username or email address together with a password or security question and answer that would permit access to an online account.

The above definition of personal information from the amended California data security procedures law means an individual's first name or first initial and the individual's last name together with any of the following data elements when either the name or the data elements are not encrypted or redacted.

• Social Security number
• Driver's license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
• Account number or credit or debit card number, together with any required security code, access code, or password that would permit access to an individual's financial account
• Medical information
• Health insurance information
• Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual (excluding a physical or digital photograph, unless used or stored for facial recognition purposes). Cal. Civ. Code section 1798.81.5(d)(1)(A).

It is interesting to note that the California breach notification law was also concurrently amended to expand the categories of personal information covered (namely, a unique identification number issued on a government document commonly used to verify the identity of a specific individual and unique biometric data). Cal. Civ. Code section 1798.82(h).

California Data Broker Law

The California data broker law requires a data broker to register with the California attorney general. Cal. Civ. Code section 1798.99.82. The California data broker law defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship (excluding a consumer reporting agency to the extent that it is covered by the Fair Credit Reporting Act, a financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act and implementing regulations, and an entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code). Cal. Civ. Code section 1798.99.80.

This definition of data broker uses the following definitions from the CCPA: business, collect and collected, consumer, personal information, sale or sold, and third party. Cal. Civ. Code section 1798.99.80. The California data broker law also states: "Nothing in this title shall be construed to supersede or interfere with the operation of the [CCPA]." Cal. Civ. Code section 1798.99.88.