Consistent with recent trends in broadening the scope of state data breach notification statutes, Connecticut and Florida have expanded the definitions of personal information under their respective data breach notification statutes to include geolocation data. This change became effective in Connecticut as of Oct. 1 and will become effective in Florida on July 1, 2024.
1. Connecticut’s Data Breach Notification Law Changes
- Connecticut updated its data breach notification statute (Conn. Gen. Stat. § 36a-701b) to expand the definition of “personal information” to now include “precise geolocation data.”
- “Precise geolocation data” means “information derived from technology, including, but not limited to, global positioning system [GPS] level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of [1,750] feet.”
2. Florida’s Data Breach Notification Law Changes
- Florida’s Digital Bill of Rights (SB 262) amends the definition of “personal information” in Florida’s breach notification statute (Fla. Stat. § 501.171) to now include “an individual’s biometric data” and “any information regarding an individual’s geolocation.”
- Notably, unlike with Connecticut, this addition does not come with corresponding definitions, leaving some ambiguity in interpretation.
As more states update their breach notification laws to include elements like geolocation data, an opportunity is presented for organizations to review response plans and consider risk mitigation measures such as effective data retention schedules.
[View source.]
