June 17, 2019
The California Consumer Privacy Act (CCPA) has effected a seachange in the world of consumer data privacy, in large part because it defines Personal Information (PI) differently than any other law, including Europe’s sweeping General Data Protection Regulation (GDPR). The CCPA definition of Personal Information is broad and, at times, difficult to puzzle out. At its most basic, Personal Information is non-public “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. 1798.140(o)(1-2).
Personal vs Publicly Available Information
The most basic question then, is what qualifies as public information. The CCPA gives a very specific, narrow definition of public information. It is information that is lawfully made available from federal, state, or government records, not including any information that is used for a purpose incompatible with the one for which the government makes it available. 1798.140(o)(2).
What the CCPA does not delve into is how we can decide what qualifies as a “incompatible purpose.” Is it incompatible with their purpose to use land records to target new homeowners with ads for homeowners’ insurance, something that benefits not only the consumer but the local community in the event of a disaster?
Additionally, biometric data collected without the consumer’s knowledge and de-identified/ aggregate consumer data are not considered publicly available.
Although we commonly think of information published on social media as publicly available, the CCPA’s definition is far too narrow to exempt information from its definition of “personal” simply because it has been published online somewhere. Similarly, the CCPA requires that the government data be “lawfully” available. Personal Information obtained from government records disclosed to the public through a hack would not meet the “publicly available” CCPA exemption.
Specific Examples of Personal Information
Because the CCPA’s basic definition of Personal Information is general enough to be interpreted in myriad ways, the statute also gives examples of what qualifies as Personal Information. It specifically includes: names; aliases; unique personal identifiers; postal, IP, and email addresses; account names; social security, passport, and driver’s license numbers. Most of that list is fairly clear, but you may be wondering what a “unique personal identifier” is.
According to the CCPA, a unique personal identifier is an identifier that could identify an individual consumer, family, or device “over time and across services.” According to the CCPA, these identifiers can include: IP addresses; cookies, beacons, pixel tags, mobile ad identifiers, customer numbers, unique pseudonyms, user aliases, and telephone numbers. See 1798.140(x). Some of the less traditional items of Personal Information include: biometric, audio, electronic, visual, thermal, and olfactory information (we admit to hoping someone gets sued over this one so that we can (1) laugh and (2) figure out why on earth it was included in the bill). 1798.140(o)(1)(E & H).
The CCPA’s definition of Personal Information also includes commercial information such as “records of personal property, products and services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.” 1798.140(o)(1)(D). This explicitly includes browsing and search histories geolocation, and consumers’ interactions with websites, ads, and apps. 1798.140(o)(1)(F-G). (Although postal addresses may be considered public information due to property records, it is important to remember that the “public” exception only applies to information made public through government records.)
Professional and employment-related information is also included in the CCPA”s definition of Personal Information. However, business and industry advocates have made a strong argument against including employee information. They are doing this not by pushing for an amendment that removes employment-related information from the definition of consumer. That would mean employment-related information remained part of the definition of PI, so any company that collected employment-related information from non-employment purposes would still have to treat the information as PI under the CCPA. See 1798.140(o)(1)(I).
Incorporating Other Laws
The CCPA also relies other state and federal laws into its definition of Personal Information, specifically incorporating the categories of definition of Personal Information identified in 1798.80(e) of the Civil Code. Section 1798.80(e) adds signatures; physical characteristics or descriptions; state identification card numbers; insurance policy numbers; education; employment and employment history; bank account, credit card, and debit card numbers; any other financial information; and health insurance information to the categories of Personal Information protected by the CCPA.
The Federal Educational Rights and Privacy Act (FERPA) allows educational institutions to disclose directory information so long as the schools have given the students/parents general notice of what is included in directory information and the opportunity to opt out. Any personally identifiable education information other than that which FERPA identifies as public must be treated as PI under the CCPA. 1798.140(o)(J).
The CCPA also makes a more generalized, sweeping incorporation of California and federal law by identifying characteristics of protected classifications under California or federal law as Personal Information. 1798.140(o)(1)(C). Examples of portected classifications would include: race, color, sex, gender identity and expression, sexual orientation, age, religion, national origin, disability, citizenship status, and genetic information. Protected classifications are subject to change through both the legislative and judicial processes, so business should pay ongoing attention to these categories.
One of the most far-reaching aspects of CCPA’s definition of Personal Information is tucked in at the bottom of a sixteen point description—inferences. In addition to every item or category specifically identified as Personal Information in the text of the CCPA, any inferences drawn from Personal Information and used to create consumer profiles are considered Personal Information. For example, if you create a consumer profile based on the ads a person clicks on that shows the consumer’s preference for certain kinds of outdoor gear and combine that with the posts they like regarding federal lands to create an inference about that consumer’s political persuasion, not only the internet activity itself but the inference and consumer profile are Personal Information under the CCPA. 1798.140(o)(1)(K).
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.