The California Consumer Privacy Act (CCPA) gives California residents more control over how their personal information is collected, maintained, sold, and shared by businesses. Because the data privacy law applies only to consumers’ “personal information,” it is critically important to understand what that term means and what it does not include.

The CCPA's definition of personal information is very broad: “Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It can be anything from an IP address to geolocation data to browsing history. Because of this, it’s helpful to focus on what kind of consumer data the CCPA tells us is not personal information. There are a few key exemptions; one of the most important is for “publicly available information.”

Why is it important? If information is publicly available, then CCPA consumer rights don’t apply. The collection of such information doesn’t need to be disclosed in a business’s privacy policy, it is not subject to deletion requests, and so on. It is also not covered by the CCPA’s private right of action related to cybersecurity and data breaches. Depending on the business and its practices, determining what information is publicly available can be a big part of the compliance strategy.

What Is Publicly Available Information?

The definition of publicly available information was broadened significantly by the California Privacy Rights Act (CPRA), sometimes called CCPA 2.0. Though these changes do not go into effect until January 1, 2023, they are worth discussing here in order to help businesses begin planning for future CCPA compliance.

The statutory definition is as follows (with changes from the CPRA in italics):

Information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

This creates two major categories of publicly available information—information from government records and information made available to the general public—and an exclusion for biometric information collected without the consumer’s knowledge.

Information from Government Records

Until January 1, 2023, publicly available information is defined exclusively as information lawfully made available from federal, state, and local government records. It’s a relatively narrow definition, but could include a wide variety of information. For example, a business could check local property records to compile a list of homeowners and even learn about their mortgages, if that information is reported in public filings.

The current law also states that personal data is not publicly available if “used for a purpose that is not compatible with the purpose for which the data is maintained and made available.” It’s not clear what kind of purposes would be incompatible, and no guidance has been provided by CCPA regulations. This clause will be removed from the statute when the CPRA becomes effective at the start of 2023.

Information Made Available to the General Public

With the language added by the CPRA, a lot more information will be considered publicly available beginning January 1, 2023. There are many ways information could be “made available to the general public by the consumer or from widely distributed media,” but by far the most common manner will be social media posts and online profiles.

Under this new provision, it appears that social media posts are fair game when it comes to collecting, storing, selling, and sharing consumer data. Businesses do not need to disclose the use of this information or include it when responding to consumer requests, such as a request to delete. This even extends to information contained in posts made by people other than the consumer.

There do seem to be limits, however. Both the “general public” and “not restricted to a specific audience” language suggest that if a social media post or account were set to private, then that information may not be considered to be publicly available.

Biometric Information

Any biometric data collected about a consumer by a business without the consumer’s knowledge is not publicly available information. The business does not need consumer’s consent, however, only their knowledge. A business can likely meet this requirement by including a disclaimer in its privacy policy.

For example, if a social media company scans publicly available photos with its facial recognition technology, the faceprints (a type of biometric data) would also seem to be publicly available information as long as the company had properly disclosed the collection beforehand.

Matters of Public Concern

Personal information does not include “lawfully obtained, truthful information that is a matter of public concern.” Though technically not a type of publicly available information, this exemption was added to the same section of the statute by the CPRA. Its purpose appears to be avoiding conflict between the CCPA and free speech protections. For example, without this exemption, someone might try to use the CCPA to force a newspaper to delete all personal information about them, or attempt to characterize journalism as a sale of personal information.