Source - Privacy and Data Security Alert | September 2019

California Adds Biometric Restrictions to Data-Breach Law, Potentially Creating a De Facto Biometric Privacy Law

Subject to the governor’s signature, California’s breach-notification law will gain additional requirements related to biometric information due to the passage of AB 1130. The bill adds “unique biometric data” to the definition of personal information where that data is generated from measurements or analysis of body characteristics for authentication purposes. Going forward, notices for breaches involving biometric data must include instructions on how to notify third parties to no longer rely on the compromised data for authentication purposes.


This change, in combination with the California Consumer Privacy Act’s (CCPA’s) private right of action, may create a de facto biometric privacy law in California that allows for a private right of action where there is unauthorized disclosure of biometric information (e.g., a merchant/employer sharing biometric information with a third-party provider) and a lack of policies and procedures governing biometric information.

Read more in the full September issue of the Privacy and Data Security Client Alert.