California Amends Key CCPA Definitions

California Amends Key CCPA Definitions

Overview


California is set to amend the California Consumer Privacy Act of 2018 (CCPA) with two recent amendments that have been signed into law. Assembly Bill (AB 1008) and Senate Bill 1223 (SB 1223) aim to clarify how the law defines personal information and double down on the recent focus on biometric information among the states. The amendments carve out the scope of what is publicly available information and expand the breadth of the definition of sensitive personal information to include neural data.

In Depth


SB 1223

SB 1223 expands the CCPA’s definition of sensitive personal information to include neural data. The bill defines neural data to mean “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.” This expansion of the definition of sensitive personal information follows Colorado’s recent passage of HB 24-1058, which specifically expanded the safeguards for neural data. SB 1223 will require businesses that collect neural data to include proper disclosures in their privacy policies and respect a consumer’s right to limit the use of that data.

AB 1008

Assembly Bill 1008 includes two significant definitional updates to the CCPA. First, it clarifies that “personal information” can exist in various formats, including artificial intelligence (AI) systems that are capable of outputting personal information. Second, it makes clear that biometric information collected without a consumer’s knowledge can never be deemed “publicly available” and therefore not exempt from the definition of “personal information.”

KEY TAKEAWAYS

  • Companies that collect neural information must now consider that information “biometric” information under the CCPA, and they must comply with the CCPA rules related to sensitive personal information, such as providing consumers with the right to limit the use of their sensitive personal information.
  • Biometric information collected without a consumer’s knowledge cannot be considered “publicly available” and will not be exempt from the definition of “personal information.”
  • AI systems can contain and create personal information.

Our cross-practice team continues to closely monitor global privacy and cybersecurity developments. To learn more, reach out to one of the authors or your regular McDermott lawyer to discuss the potential legal implications for your business.