Amendment to CCPA and California’s Data Breach Notification Law Approved

California Governor Gavin Newsom signed bill AB-1130 that makes revisions to California’s data breach notification law. The new bill expands the definition of personal information which requires the issuance of notifications to state residents impacted by a data breach.

Before the revision, notifications were necessary when there is a compromise of the state residents’ driver’s license number, Social Security number, health data, financial data, or username/passwords. With the update, entities that encounter a breach involving passport numbers, military ID numbers, tax ID numbers, other government ID numbers, or biometric data also need to send breach notifications.

The law is applicable to data breaches where an unauthorized person is reasonably presumed to have acquired the personal information.

California Assemblyman Marc Levine (D) introduced bill AB-1130 with co-sponsorship by California Attorney General Xavier Bercerra. Governor Newsom approved the bill on October 11 and its effectivity begins on January 1, 2020.

California Consumer Privacy Act Updates

Governor Newsom at the same time signed into law the six amendments to the California Consumer Privacy Act (CCPA). With the CCPA, California residents enjoy new privacy protection so that they could exercise their rights over the data that businesses collect.

CCPA is about to take effect starting January 1, 2020, though the new regulation won’t be enforceable 6 months before the California Attorney General puts out the final rules on CCPA. Attorney General Bercerra already issued the first draft of those rules

Dates of public hearing were booked from December 2, 2019 to December 6, 2019. The final draft of the rules will be available in spring 2020. CCPA will be enforced on July 1, 2020 or 6 months following the publication of the final regulations, whichever is earlier. Nevertheless, in case the final regulations are publicized from July 1, 2020 to December 31, 2020, CCPA will be enforced only 6 months after the date of publication.

The following are the CCPA updates that were approved:

  • AB-25 – CCPA will not include anymore the data obtained from job seekers, employees, officers, directors, company owners, medical personnel, and contractors on their first year.
  • AB-874 – “Publicly available information” was updated making clear that the information is legally published from the records of the federal, state, or local government.
  • AB-1146 – Vehicle data gathered using a warranty or recall program is no longer required by CCPA.
  • AB-1202 – Data brokers are necessary to sign up with the California Attorney General’s office.
  • AB-1355 – The CCPA definition of personal information no longer includes aggregated consumer data and de-identified data.
  • AB-1564 – Businesses must present two ways for consumers to get hold of them, except if the business is web-based, in this case, an email address is only needed.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at