On October 11, 2019, California Governor Gavin Newsom signed into law AB 1130, which expands the types of personal information covered by California’s breach notification law to include, when compromised in combination with an individual’s name: (1) additional government identifiers, such as tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; and (2) biometric data generated from measurements or technical analysis of human body characteristics (e.g., fingerprint, retina, or iris image) used to authenticate a specific individual. Biometric data does not include a physical or digital photograph unless used or stored for facial recognition purposes.

AB 1130 also specifies that “[i]n breaches involving biometric data,” the reporting entity must provide “instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on [that] data for authentication purposes.”

The amendments take effect January 1, 2020.