In late February, two California lawmakers, each with the support of California Attorney General Xavier Becerra, introduced bills to strengthen individuals' data privacy.
State California Assemblymember Marc Levine introduced a bill that would require businesses to notify consumers of compromised passport numbers and biometric information. California requires businesses that own, license or maintain personal information to disclose to California residents if their personal information is accessed without authorization or is reasonably believed to have been accessed. Personal information includes Social Security number, driver's license number, bank account number, debit card number, credit card number and medical and health insurance information. Levine's bill would expand the notification requirement to include government issued IDs, such as passports, and biometric information, such as iris, fingerprint and retina scans.
He said the Starwood data breach that Marriott disclosed on Nov. 30 prompted his bill. The breach occurred on Starwood's guest reservation database from 2014 until it was discovered in September 2018. The company estimates that as many as 383 million customers may have been affected. Among the data exposed were personal and payment card information and passport numbers.
Matt Aldridge, a senior solutions architect at cybersecurity firm Webroot, said companies will need strong auditing to track the use of passport and biometric data and to detect and report when something goes wrong. He also added that companies should take steps to protect such data. "Companies dealing with the storage and/or processing of consumer data need to ensure they have adequate controls to protect this data and that they have significant justification for having the data at all."
State Senator Hannah-Beth Jackson, meanwhile, introduced a bill to expand the California Consumer Privacy Act of 2018, which Governor Jerry Brown signed in June. Before CCPA goes into effect Jan. 1, the state government is sorting out details and making changes via follow-up legislation like Jackson’s, according to Joseph Lazzarotti, who leads the data, privacy and cybersecurity arm for law firm Jackson Lewis.
Currently, the law requires businesses to comply with consumer requests to disclose the business' practices around personal information collection and sharing, to delete the consumer's personal information and to allow the consumer to opt out of the sale or sharing of his or her personal information. A consumer can sue a business for damages if his or her nonencrypted or nonredacted personal information is accessed, taken or disclosed because the business did not meet reasonable security procedures.
Jackson's amendments significantly expand the basis on which a consumer can sue, Lazzarotti said. "Under one of the amendments, a consumer can sue for a violation of any of their rights under the law, not just a breach where the company failed to have reasonable safeguards in place," he said. For example, he noted, it appears that a consumer now could sue a company that denies a consumer’s request to delete his or her personal information, though CCPA does provide for some exceptions that allow businesses to deny such requests. Jackson's bill also removes language that allows businesses to seek compliance guidance from the attorney general, a move meant to save taxpayer money by removing the attorney general's availability as counsel, according to California Attorney General Becerra.
Additionally, Jackson proposes to remove from the law's language, "A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance," leaving in place: “Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.” The change would remove the 30-day opportunity for businesses to resolve compliance issues.
"These amendments will ensure that the most significant
privacy protections in the nation are robustly enforced," Becerra said.
Because California has the largest population and economy in the U.S. and fifth
largest economy in the world, a lot of companies could fall under the bill's
purview. Likened to the European Union's General Data Protection Regulation
for its expansiveness, CCPA applies to any entity that does business in
California that satisfies any one of the following:
- annual gross revenue over $25 million
- 50 percent or more of its annual revenue from selling California residents' personal information
- buys, sells or shares the personal information of 50,000 or more California residents
Because Jackson's amendments heighten their legal exposure, companies will to need to take action, said Aldridge. "Any increase in corporate risk associated with this legal exposure should lead to heavier investment in data security and privacy controls to reduce the probability of actions being brought against a company."
CCPA is similar to GDPR for its broad consumer privacy protections, but the two laws are structurally different. Still, companies that are GDPR compliant have a head start on CCPA compliance, according to Lazzarotti.
In the coming months, the two bills will move to their respective legislative chambers' policy committees.