CCPA – Definition of Personal Information in California’s Privacy Law
The California Consumer Privacy Act protects the personal information of California residents, referred to by the privacy law as consumers. To clarify to businesses precisely what they need to protect, the CCPA contains a definition of personal information. However, the breadth of the definition means that businesses need to protect a broad range of information and may need to make judgment calls about information on the periphery.
The definition of personal information in the CCPA includes 11 categories, which can be summarized as:
2) Select Information in Customer Records
3) Legally Protected Characteristics
4) Commercial Purchasing Information
5) Biometric Information
6) Internet or Network Activity
8) Information Typically Detected by the Senses
9) Employment Information
10) Education Information
11) Inferences from Above Used to Profile
However, this is really only the beginning as the definition of personal information is not limited to these categories. Personal information includes anything that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
There are several exclusions from the definition of personal information. One of them is that it does not include deidentified or aggregate consumer information. It also does not include publicly available information, which is defined as information lawfully made available from federal, state, or local government records.
Some of the specific data identified as personal information:
– real name,
– postal address,
– unique personal identifier,
– online identifier,
– Internet Protocol address,
– email address,
– account name,
– social security number,
– driver’s license number,
– passport number, or
– other similar identifiers.
2) Information in Customer Records:
– social security number,
– physical characteristics or description,
– telephone number,
– passport number,
– driver’s license or state identification card number,
– insurance policy number,
– employment history,
– bank account number,
– credit card number,
– debit card number,
– financial information,
– medical information,
– health insurance information.
6) Internet Activity:
– browsing history,
– search history,
– information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
8) Information Detected by the Senses (this moniker is not listed in the CCPA but seems to fit well):
– similar information.
The Attorney General has the power to add additional categories of personal information in regulations issued after the solicitation of broad public participation in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
Areas of Controversy
There are at least several major areas of controversy around the definition of personal information at the moment.
The first is that there has been testimony in legislative hearings from proponents of the bill after the CCPA passed that IP address alone is not considered as personal information. This has been in response to criticism that there really is no true carve out for small businesses since many businesses with less than $25 million in revenue will hit the data collection threshold. If a consumer’s IP address alone is considered personal information under the bill, then a website server which is collecting that information in its server logs will only need 137 visitors a day from California to reach the CCPA threshold and become a covered business. Many people read the CCPA as covering all collection of IP addresses, but some proponents have testified otherwise.
The second is that the personal information of employees is included within the scope of the law. AB-25 is a proposed bill in the California Assembly that would remove employees from the definition of consumer and end the controversy. We will be closely following the bill to see whether it is approved by the California legislature. In the latest version of AB-25 up for a possible Senate floor vote, employee data is excluded from the CCPA for a one year period so that consumer advocates and business groups can determine how to appropriately protect employee data privacy.
Another area of controversy has been the inclusion of households within the definition of personal information. Businesses have publicly noted the problem with this for the right to access and right to delete and asked for guidance during the rulemaking process from the California Attorney General.
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Last updated: August 16, 2019