California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) gives California residents more control over how their personal information is collected, maintained, sold, and shared by businesses. Because the data privacy law applies only to consumers’ “personal information,” it is critically important to understand what that term means and what it does not include.
The CCPA's definition of personal information is very broad: “Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It can be anything from an IP address to geolocation data to browsing history. Because of this, it’s helpful to focus on what kind of consumer data the CCPA tells us is not personal information. There are a few key exemptions; one of the most important is for “publicly available information.”
Why is it important? If information is publicly available, then CCPA consumer rights don’t apply. The collection of such information doesn’t need to be disclosed in a business’s privacy policy, it is not subject to deletion requests, and so on. It is also not covered by the CCPA’s private right of action related to cybersecurity and data breaches. Depending on the business and its practices, determining what information is publicly available can be a big part of the compliance strategy.
The definition of publicly available information was broadened significantly by the California Privacy Rights Act (CPRA), sometimes called CCPA 2.0. Though these changes do not go into effect until January 1, 2023, they are worth discussing here in order to help businesses begin planning for future CCPA compliance.
The statutory definition is as follows (with changes from the CPRA in italics):
Information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
This creates two major categories of publicly available information—information from government records and information made available to the general public—and an exclusion for biometric information collected without the consumer’s knowledge.
Until January 1, 2023, publicly available information is defined exclusively as information lawfully made available from federal, state, and local government records. It’s a relatively narrow definition, but could include a wide variety of information. For example, a business could check local property records to compile a list of homeowners and even learn about their mortgages, if that information is reported in public filings.
The current law also states that personal data is not publicly available if “used for a purpose that is not compatible with the purpose for which the data is maintained and made available.” It’s not clear what kind of purposes would be incompatible, and no guidance has been provided by CCPA regulations. This clause will be removed from the statute when the CPRA becomes effective at the start of 2023.
With the language added by the CPRA, a lot more information will be considered publicly available beginning January 1, 2023. There are many ways information could be “made available to the general public by the consumer or from widely distributed media,” but by far the most common manner will be social media posts and online profiles.
Under this new provision, it appears that social media posts are fair game when it comes to collecting, storing, selling, and sharing consumer data. Businesses do not need to disclose the use of this information or include it when responding to consumer requests, such as a request to delete. This even extends to information contained in posts made by people other than the consumer.
There do seem to be limits, however. Both the “general public” and “not restricted to a specific audience” language suggest that if a social media post or account were set to private, then that information may not be considered to be publicly available.
Any biometric data collected about a consumer by a business without the consumer’s knowledge is not publicly available information. The business does not need consumer’s consent, however, only their knowledge. A business can likely meet this requirement by including a disclaimer in its privacy policy.
For example, if a social media company scans publicly available photos with its facial recognition technology, the faceprints (a type of biometric data) would also seem to be publicly available information as long as the company had properly disclosed the collection beforehand.
Personal information does not include “lawfully obtained, truthful information that is a matter of public concern.” Though technically not a type of publicly available information, this exemption was added to the same section of the statute by the CPRA. Its purpose appears to be avoiding conflict between the CCPA and free speech protections. For example, without this exemption, someone might try to use the CCPA to force a newspaper to delete all personal information about them, or attempt to characterize journalism as a sale of personal information.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.