*Note: Since the writing of this blog, CCPA has been replaced with CPRA.
Privacy laws often have varying definitions of what constitutes “personal information.”Though these laws have the common goal of protecting individual privacy by regulating the collection, transfer, and storage of information, there are often unique approaches with respect to defining the personal information to be protected under the law.
Generally, privacy laws have adopted three approaches to defining personal information: the tautological approach defines personal information as any information that identifies a person (an example is the Video Privacy Protection Act); the nonpublic approach defines identifiable information as nonpublic personal information (the Gramm-Leach-Bliley Act is an example of this approach); and the specific types approach, which lists examples of data elements that constitute personal information.
The CCPA: California Consumer Privacy Act is arguably a mix of both the tautological approach and the specific types approach in defining personal information. Specifically, the definition contains two important features: 1) the definition generally covers information that is capable of identifying the individual or may be reasonably linked to an individual, in addition to information directly identifying the individual; and 2) the definition specifies the number of pieces of information that constitute protected personal information under the law. As will be discussed here, the CCPA’s definition of personal information is arguably broader in scope compared to other privacy laws on the books. That means that if your need to comply with CCPA, your business will have to closely scrutinize its information collection, sharing, and storage practices, as well as identifying what information, if any, may fall under the CCPA’s purview.
This article will discuss the following three topics:
- What qualifies as personal information under the CCPA
- What doesn’t qualify as personal information under the CCPA
- The importance of determining whether your business collects personal information
What qualifies as personal information under the CCPA
The CCPA defines “personal information” as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In addition, the definition provides a number of examples of what qualifies as “personal information” under the CCPA. It is important to note that this list is not exhaustive and other pieces of information may also qualify. Examples include:
- First and last names
- Internet Protocol address
- Email addresses
- Social security numbers
- Commercial information, including purchase history and property records
- Biometric information (such as fingerprints)
- Online browsing history, search history, and information regarding a consumer’s interaction with websites, advertisements, and applications
- Geolocation information
Note that protected information as defined by the CCPA need not directly identify the consumer. Pieces of information such as online search history and geolocation information, while “capable of being associated with . . . a particular consumer,” do not directly identify an individual consumer. Nevertheless, businesses must be aware that the CCPA protects a broad array of consumer information. As such, even minimal interaction with consumers, whether it be via a website, an advertisement, or forms for consumers to subscribe to products or services, may involve the collection of CCPA protected information. Businesses must necessarily review these interactions with consumers to determine what information, if any, is protected under the law.
What doesn’t qualify as personal information under the CCPA
While the CCPA protects a broad range of personal information, the law does exempt specific types of information that do not fall qualify for protection under the law. Information excluded from the law includes the following:
- Publicly available information, defined as “information that is lawfully available from federal, state, or local government records . . . . “ Publicly available information does not include:
- Biometric information collected without the consumer’s knowledge
- Information that is used for a purpose that is not “compatible” with the purpose for which the information is maintained and made available in public records
- Consumer information that is “deidentified,” defined as “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer” provided that the business has done each of the following:
- Implemented technical safeguards that prevent reidentification of the consumer
- Implemented business processes that specifically prohibit reidentification
- Implemented business processes to prevent inadvertent release of deidentified information
- Makes no attempt to reidentify the information
- Consumer information that is “aggregated,” defined as “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to a consumer or household, including via device.” The definition does not include one or more individual consumer records that have been deidentified.
- A consumer’s personal information provided that every aspect of the commercial conduct takes place outside of California. This means personal information was collected from the consumer while he or she was outside of California, no part of the sale of the information occurred in California, and no information collected while the consumer was in California was sold.
- Personal information held by the business is not protected under the law when the business discloses the information pursuant to an evidentiary privilege under state law.
- Information collected by a covered entity under the Confidentiality of Medical Information Act.
- Information collected by a covered entity governed by the privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act.
- Personal information is sold to or purchased from a Consumer Reporting Agency if the information is used to create or within a consumer report as defined by federal law and the information is limited by the Fair Credit Reporting Act.
- Information collected, processed, sold, or disclosed under the Gramm-Leach-Bliley Act (“GLBA”) and enforcement regulations, provided the CCPA is in conflict with the GLBA
- Information collected, processed, sold, or disclosed under the Driver’s Privacy Protection Act of 1994, if it is in conflict with the CCPA.
The importance of determining whether your business collects personal information
To comply with CCPA, businesses must carefully scrutinize and review their information-sharing practices. Protected information is subject to the privacy controls provided by the CCPA, including consumer requests for deletion, access, and disclosures. Moreover, this personal information must be sufficiently protected via compliant security safeguards. Failing to identify CCPA protected personal information, including failing to identify the categories of personal information that must be disclosed in your Privacy Policy, will inevitably increase the risk that your business may face CCPA fines and lawsuits. Termageddon’s Privacy Policy Generator helps ensure your business is prepared to be compliant with the CCPA.
