California Consumer Privacy Act: GDPR-like definition of personal information

Data Protection Report - Norton Rose Fulbright

This is the Data Protection Report’s third blog post in a series of CCPA blog posts that will break down the major elements of the CCPA which will culminate in a webinar on the CCPA in October. This blog focuses on the CCPA’s broad definition of Personal Information. Stay tuned for additional blogs and information about our upcoming webinar on the CCPA.

The California Consumer Privacy Act (“CCPA” or the “Act”) sets a new precedent with its sweeping definition of Personal Information (“PI”). The CCPA defines “[p]ersonal information” as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The Act specifies a variety of new data elements that constitute PI including but not limited to: (1) identifiers such as any unique personal identifier or IP address; (2) electronic network activity information, including, browser histories, search history, and any information regarding a consumer’s interaction with a Web site, application or advertisement; (3) audio, electronic, visual, thermal, and olfactory information; and (4) geolocation data. In addition, the Act specifies that any “inferences drawn” from various data elements of PI “to create a profile about a consumer reflecting the consumer’s preference, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes” constitutes PI.

This definition of PI greatly expands on the narrow definition of what constituted PI under previous California state laws. Mainly, the CCPA represents a departure from the US state breach statutes which generally required the name of the consumer to be included in the data set for the information to trigger a breach notice. By removing the name requirement and instead including specific data elements such as IP address, browser history and geolocation data as PI, the CCPA requires companies to reexamine how data is tagged and risks related to data is analyzed and mitigated. For example, in the past, companies knew data that did not include the name of the consumer would not trigger a data breach notification in California if it was accessed or used inappropriately. Now, under CCPA, even data that does not contain the name but may otherwise identify, relate to, describe or is capable of being associated with, or could be reasonably linked with a particular consumer or household must be analyzed to see if the CCPA protections apply.

Also, it is important to note that the CCPA applies to PI of all ‘consumers’, which is defined as any California resident. Subject to certain qualifications, a resident is defined as “every individual who is in the State for other than a temporary or transitory purpose, and every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose.” Thus, the jurisdiction of the CCPA could be as widely interpreted as to cover the collection, handling and use of website browsing history or geolocation data of mobile devices belonging to California residents or California residents while traveling outside of the state.

While the definition of PI is sweeping, the Act does set out several carve outs. First, PI does not include any “publicly available” information that is lawfully made available from federal, state, or local government records. Notably, the public availability exception does not apply to government records if the data is used for purposes other than the purpose for which the data is made publicly available or to consumer information that is de-identified or aggregated.

The Act also does not restrict businesses in the collection, use, retention, or sale of de-identified information, as long as the multiple requirements set forth for de-identification in the Act are followed. De-identified data is “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” In order to meet this standard, a company must implement: (1) technical safeguards that prohibit re-identification; (2) business processes that specifically prohibit re-identification; and (3) business processes to prevent inadvertent release of de-identified information. In addition, a company may make no attempt to re-identify the information. Based on the language of the Act, it is clear that some current approaches to de-identification information will not satisfy this new threshold.

Takeaways

Update the company’s data risk framework to include the expanded definition of personal information under CCPA.
Update the company’s data breach response plan to include scenarios involving the improper or unauthorized collection, use, or sharing of personal information as defined under CCPA.
Reexamine the company’s methods for creating de-identified or anonymous sets of data.

The Data Protection Report will continue to provide updates on the status of any revisions to the CCPA.

Look out for our next blog article which will address the CCPA’s disclosure requirements.