One of the most ubiquitous technologies on the web may become a liability risk for businesses. Learn about Google Analytics, wiretap lawsuits, and how to protect your company.
When it comes to the California Consumer Privacy Act (CCPA), what constitutes “personal information” is one of its most important concepts. All of businesses’ obligations and consumers’ rights under the data privacy law center around the collection and use of consumers’ personal information, so understanding what the term means is one of the first steps toward CCPA compliance.
The CCPA’s definition of personal information is incredibly broad. Arguably, it is even broader than the General Data Protection Regulation’s (GDPR) definition of “personal data.” Using the most recent statutory language, personal information is:
Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
It’s a very inclusive definition that is designed to catch any and every kind of information that is connected to an individual or household. Luckily, the CCPA also has a helpful list of examples. These examples include:
Bearing in mind there are potentially other categories of personal information not included in this list, it should at least give you a sense of the wide variety of data that falls under the CCPA.
With so much data being defined as personal information by the CCPA, it is helpful to look at what the law specifically says is not personal information. There are two main categories of exemptions: publicly available information and deidentified or aggregate consumer information.
Publicly available information originally only included information lawfully made available from federal, state, or local government records. The California Privacy Rights Act (CPRA) significantly expanded this to include two more types of publicly available information. The first is “lawfully obtained, truthful information that is a matter of public concern”—an exemption that covers information collected for journalistic purposes. The second is “information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media.” This is important because it covers public consumer data collected from social networks.
Deidentified or aggregate consumer information is data that cannot be linked to a particular consumer or household. Examples include a consumer profile from which all identifiers have been removed, or website usage statistics, such as total homepage visits, that can’t be linked to any identified individual.
In order to avoid conflicting regulatory schemes, the CCPA makes exemptions for personal information that is already covered by other state and federal laws. The three most important are:
To the extent that personal information is already regulated by these laws and businesses are in compliance with them, the CCPA does not apply.
The CPRA also added a new category of personal information: sensitive personal information. This accompanies a new consumer right granted by the CPRA, the right to limit use and disclosure of sensitive personal information. It includes:
The new privacy right means that, with regard to sensitive personal information, consumers can request business to limit its use and disclosure to what is “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.” In order to comply with such a request, any business that collects or uses sensitive personal information will need to track it separately in their data map.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.