California governor signs seven bills related to data security and privacy

BY Karl D. Belgum

On September 16, 2019, we reported on a number of bills passed by the California Legislature in the final days of the session, amending the California Consumer Privacy Act.  On October 13, 2019, Governor Gavin Newsom signed those bills into law. To recap briefly, they are:

AB 25: Exempts from the scope of the Act information collected in an employment context, i.e., information collected in a job application, or from employees, directors, business owners, medical staff, or contractors. However, the private right of action for negligently allowing the disclosure of such information in Civil Code 1798.150 still applies.

AB 874: Simplifies the definition of "publicly available information," which does not count as "personal information" under the Act. Eliminates the restriction that information obtained from a public source is only exempt from the definition of personal information if it is used for the same purpose that it was gathered by the public entity.

AB 1146Exempts information maintained or exchanged between an auto dealer and a manufacturer for warranty or recall purposes from certain obligations under the Act. Such information cannot be the subject of a request to delete, and sharing of the information between a dealer and manufacturer does not trigger an obligation to disclose it as a "sale" of such information.

AB 1202: Adds new sections Civil Code 1798.99.80-82. Requires all data brokers to register with the attorney general. A data broker is any business that knowingly collects and sells (broadly defined) personal information regarding persons with which it has no direct relationship.

AB 1355: Exempts deidentified and aggregate information from the definition of "consumer information" in the Act; also clarifies the interrelationship of the Act and the Fair Credit Reporting Act.

AB 1564: Streamlines the methods businesses must make available to consumers to make requests to disclose their personal information. A business that operates exclusively online and has a relationship with the consumer is only required to make a single online method available for such requests. However, a business that maintains a website must include the website as one of the methods to receive such requests.

In addition, the governor signed AB 1130, which amends the state's data breach notification law. It revises the definition of personal information for breach notification purposes to add specified unique biometric data and tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to the existing categories that already include driver's licenses and California identification cards. Upon a breach of biometric data, the breach notice now must include instructions on how the consumer can notify entities who may be relying on such data for identification purposes to let them know that it is no longer secure.

author img


Karl D. Belgum

Senior Counsel

Posts By this author