California Amends Key CCPA Definitions | McDermott

McDermott Will & Schulte, a global law firm

ARTICLE / CLIENT ALERT

California Amends Key CCPA Definitions

October 2, 2024

Read time: 3 min

Overview

California is set to amend the California Consumer Privacy Act of 2018 (CCPA) with two recent amendments that have been signed into law. Assembly Bill (AB 1008) and Senate Bill 1223 (SB 1223) aim to clarify how the law defines personal information and double down on the recent focus on biometric information among the states. The amendments carve out the scope of what is publicly available information and expand the breadth of the definition of sensitive personal information to include neural data.

In depth

SB 1223

SB 1223 expands the CCPA’s definition of sensitive personal information to include neural data. The bill defines neural data to mean “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.” This expansion of the definition of sensitive personal information follows Colorado’s recent passage of HB 24-1058, which specifically expanded the safeguards for neural data. SB 1223 will require businesses that collect neural data to include proper disclosures in their privacy policies and respect a consumer’s right to limit the use of that data.

AB 1008

Assembly Bill 1008 includes two significant definitional updates to the CCPA. First, it clarifies that “personal information” can exist in various formats, including artificial intelligence (AI) systems that are capable of outputting personal information. Second, it makes clear that biometric information collected without a consumer’s knowledge can never be deemed “publicly available” and therefore not exempt from the definition of “personal information.”

Key Takeaways

  • Companies that collect neural information must now consider that information “biometric” information under the CCPA, and they must comply with the CCPA rules related to sensitive personal information, such as providing consumers with the right to limit the use of their sensitive personal information.
  • Biometric information collected without a consumer’s knowledge cannot be considered “publicly available” and will not be exempt from the definition of “personal information.”
  • AI systems can contain and create personal information.

Our cross-practice team continues to closely monitor global privacy and cybersecurity developments. To learn more, reach out to one of the authors or your regular McDermott lawyer to discuss the potential legal implications for your business.

Authors

Amy C. Pimentel

Partner

Boston

David P. Saunders

Partner

Chicago

Dalyn D. Dessaure

Associate

Washington, DC

More Insights