State Regulatory Developments

California Passes Legislation Expanding Definition of “Personal Information”

On October 5, 2021, Governor Gavin Newsom of California approved legislation amending the Information Practices Act of 1977 (1977 Act), which will specifically impact agencies and businesses that own or license computerized data that includes personal information.  Upon compromise of such data, the 1977 Act requires agencies to disclose breach of the security of the system to any California resident whose personal information was compromised.  Similarly, the 1977 Act requires businesses that own, license, or maintain personal information concerning California residents to implement and maintain reasonable security procedures and practices.  The same data compromise disclosure requirements for agencies set forth in the 1977 Act apply to businesses, as well.

Assembly Bill 825 (AB 825) expands the 1977 Act’s definition of “personal information” to include “genetic data,” meaning any data, regardless of format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified.  Accordingly, AB 825 requires businesses to disclose data security breaches to any California resident whose personal information, including genetic information, was compromised.