September 20, 2024
Broader Protections for Kids Under New CCPA Amendment
California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
Privacy laws like California Consumer Privacy Act (CCPA) protect and regulate the use of “personal information,” but what does that term mean? It is perhaps the most widely misunderstood concept in the CCPA, because it is much broader than most people think. Of course it includes identifiers like names, email addresses, Social Security Numbers, etc., but there is a lot more data that is considered to be “personal information” under the CCPA.
Because understanding what is and isn’t personal information is so fundamental to privacy compliance, we’ll go over the official definition and give real-world examples.
Here is the official definition of personal information, as given by the CCPA:
“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal information, therefore, is much more than simple identifiers. It includes any information that relates to a particular person (or, as other laws such as the GDPR put it, an “identified or identifiable person natural person”).
Information that is deidentified, i.e., that cannot be reasonably linked to a particular person, is not considered personal information. However, that exception may become more difficult to rely on as technology gets better and better at connecting otherwise anonymous data (such as web browsing activity) to a particular consumer. For this reason, amendments added by the California Privacy Rights Act (CPRA) require businesses that use deidentified information to publicly commit to keeping such data in deidentified form and contractually obligate any recipients of the data to do the same.
Here are some examples of CCPA personal information, broken down by category.
These are types of data that, by their very nature, relate to a particular person or household.
This is a very important category of personal information, because virtually every website collects some form of this data from each of its visitors.
Internet activity is commonly tracked for marketing and analytics purposes, and is a strong privacy concern for many consumers.
This type of personal information is usually tracked meticulously, as it relates how consumers spend their money and the ways they pay for purchases.
Geolocation data can be easily collected not just through GPS location sharing, but also other means such as information provided via internet service providers.
Biometric data is of particular sensitivity because it can never be changed.
Though distinct from biometric data, other categories of personal information still relate physically to a particular person.
These categories of data relate to personal characteristics protected by state and federal laws.
This type of data most often is collected in the employment context.
Information about a particular consumer that has been derived from existing personal information is itself considered personal information.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
