CCPA: What is Personal Information?
When it comes to privacy laws, definitions matter. As we’ve discussed, the California Consumer Privacy Act (CCPA) broadly defines personal information. In this post, we’ll look at where the definition has a wider application and where it’s a bit more narrow.
Definition Of Personal Information Under CCPA
The CCPA defines “personal information” to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
What does that mean, exactly?
You’ll want to review the text of the law yourself, but here is the personal information covered under the CCPA:
- Identifiers - real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Other Personal Information - Signature, physical characteristics or description, telephone number
- Financial information - bank account number, credit card number, debit card number, insurance policy number
- Medical information
- Health information
- Protected class information under California or Federal law — Race, color, sex, age (40 and older), religion, national origin, citizenship status, genetic information, sexual orientation, gender identity or gender expression, ancestry, AIDS/HIV, disability, marital status, familial status, military or veteran status, political affiliations or activities, status as victim of domestic violence, assault, or stalking
- Commercial information — Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information — An individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, and sleep, health, or exercise data that contain identifying information
- Internet or other electronic network activity information - Including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Geolocation information — Location data generated by a consumer device capable of connecting to the Internet that directly identifies the precise physical location of the identified individual at particular times and that is compiled and retained. (example: GPS coordinates)
- Audio, electronic, visual, thermal, olfactory, or similar information - This may include photos of individuals and voice recordings
- Professional or employment-related information — Including employment, and employment history
- Education information — Non-public records maintained by schools or other institutions (as defined by Family Educational Rights and Privacy Act)
- Inferences - Inferences drawn from other personal information reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- Unique or online identifiers, such as cookies and other tracking technologies
Some information is excluded from this definition:
- “Personal information” does not include publicly available information, which is information that is lawfully made available to the general public from federal, state, or local government records.
- De-identified or aggregated information is not considered personal information
GDPR vs. CCPA
If you’re already compliant with GDPR, you’ll find it a lot easier to become compliant with CCPA, but there’s still work to be done as GDPR has a narrower definition of personal information.
The CCPA covers “consumers” who are natural persons who reside in California, whereas the GDPR protects “data subjects,” who count as natural persons in the EU, and doesn’t identify specific residency or citizenship requirements.
Why This Matters To You
The first step to becoming compliant is understanding what personal information you collect and share. If you haven’t already created an information map for your business, you will need to. If you did so for GDPR, you’ll probably need to increase the scope of any data management tools or processes to be more comprehensive. We’ll talk more about how to build an information map in future blog posts.