On Wednesday, August 24, the California state senate (the “Senate”) took action on a bill that would expand the definition of protected personal consumer data to include geolocation and biometric information while also requiring companies doing business in California to meet a “reasonably prudent” standard for data security safeguards.  The bill, A.B. 83 (the “Bill”), passed the California state assembly (the “Assembly”) in 2015 but had been dormant for over a year before being recently revived and amended by Assemblyman Mike Gatto (D).  As amended, the Bill would provide state-wide standards for data protection where none currently exist.

However, the California Senate Judiciary Committee’s vote on Wednesday did not result in a passage of the Bill, with two votes in favor of passage, two votes against, and three votes abstaining.  As a result, the Bill was sent back to the Senate floor for further consideration and a third reading.  If subsequently approved, the Assembly would then need to agree to the amendments inserted by Assemblyman Gatto before the Bill is received by Governor Jerry Brown (D) for enactment.

Pursuant to the Bill, the definition of “Personal Information” under California law would be expanded to include geolocation and biometric data, tax identification numbers, passport numbers, military identification numbers, and employment identification numbers.  Recognizing the inherent complexity in expanding legal definitions of this nature, Assemblyman Gatto stated in an interview with Bloomberg BNA that the Bill has been carefully crafted in an attempt to avoid overreach.  For example, the definition would capture personal data obtained by companies like Uber and Fitbit, but would not apply to keycard readers for entering offices or electronic receipts indicating a person’s location.  Although there has not been much further explication on which types of industries or businesses the Bill would precisely govern, it stands to reason that the Bill would not regulate any data gathering or retention that is not related to consumers or is not conducted through consumer devices.

In addition, the Bill would require businesses to implement data storage and transmission procedures that would secure such personal information “to the degree that any reasonably prudent business would provide.”  Businesses would have to regularly assess the adequacy of their protections, which would be based on the type of information under their control, foreseeable threats, the existence of widely accepted industry practices, costs and the size of the business.  Although there are no defined penalties in the Bill, violations would either be enforced through the California Attorney General, or via civil suits for negligence or for unfair business practices under California’s Business and Professions Code Section 17200 (“Section 17200”).

If the Bill were signed into law as currently drafted, the “reasonably prudent” standard for implementing compliant security protocols – like most reasonableness standards – would lack certainty until further case law or legislative guidance on the matter is developed.  Further, Section 17200 provides for a broad swath of potential causes of action in civil court; so if enforcement of the Bill is accomplished via Section 17200, then there may be a corresponding lack of predictability in the ability to avoid or defend against litigation alleging violations of the Bill without further instruction from the courts or legislature.

Nevertheless, the Bill does allow for courts to take into account the size of the business and the cost of implementing widely accepted industry practices in determining what is “reasonably prudent.”  As a result, there is a chance that, as a practical matter, compliance with the Bill would largely resemble current data privacy and security practices.  Further, the proposed amendments would only extend the reach of the Bill to businesses which gather and retain geolocation and biometric data.  The Bill must still withstand a great deal of legislative scrutiny, however, so the true extent and scope of the impact the Bill could have on businesses is yet to be determined.