UPDATE: Prior to the close of the legislative session, the amended AB 83 failed to make it out committee.
With the session ending on August 31st, the California legislature is debating a bill (AB 83) that would expand data security requirements for businesses that maintain personal information of California residents to include, among other things, protection for geolocation and biometric data. Under existing law (Cal. Civ. Code §1798.81.5(b)), a person or business that owns, licenses, or maintains a California resident’s “personal information,” must implement and maintain “reasonable security procedures and practices appropriate to the nature of the information.” The current law also lists multiple types of covered “personal information.”
Most notably, AB 83 would expand the definition of “personal information” to include “geolocation information” and “biometric information.” In addressing business concerns, the definitions of geolocation and biometric information were reportedly tightened in the latest amendments to the bill:
- “Geolocation information” means location data generated by a consumer device capable of connecting to the Internet that directly identifies the precise physical location of the identified individual at particular times and that is compiled and retained. “Geolocation information” does not include the contents of a communication or information used solely for 911 emergency purposes.
- “Biometric information” means data generated by automatic measurements of an individual’s fingerprint, voice print, eye retinas or irises, identifying DNA information, or unique facial characteristics, which are used by the owner or licensee to uniquely authenticate an individual’s identity.
A full interpretation of what will be covered under the bill must await final passage. Though, as it is currently drafted, the bill would presumably cover, for example, precise geolocation data collected and maintained by certain mobile apps or fitness devices, as well as biometric data “used to authenticate a person,” which would appear to include the faceprints collected and used by social media and photo storage services for photo tagging purposes. However, one interesting provision in the bill would amend existing law to state that “personal information” does not include “publicly available information that is lawfully made available to the general public” (the existing law only exempts government data made available to the public). It remains to be seen how such an exception will be interpreted, as the phrase “lawfully made available to the general public” could potentially encompass a host of personal data published on the web.