CCPA: What is Personal Information?
When it comes to privacy laws, definitions matter. As we’ve discussed, the California Consumer Privacy Act (CCPA) broadly defines personal information. In this post, we’ll look at where the definition has a wider application and where it’s a bit more narrow.
Definition Of Personal Information Under CCPA
The CCPA defines “personal information” to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
What does that mean, exactly?
You’ll want to review the text of the law yourself, but here is the personal information covered under the CCPA:
- Identifiers - real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Other Personal Information - Signature, physical characteristics or description, telephone number
- Financial information - bank account number, credit card number, debit card number, insurance policy number
- Medical information
- Health insurance information - insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.
- Protected class information under California or Federal law — Race, color, sex, age (40 and older), religion, national origin, citizenship status, genetic information, sexual orientation, gender identity or gender expression, ancestry, AIDS/HIV, disability: physical or mental, marital status, familial status (including pregnancy), military or veteran status, political affiliations or activities, status as victim of domestic violence, assault, or stalking
- Commercial information — Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information — An individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, and sleep, health, or exercise data that contain identifying information
- Internet or other electronic network activity information - Including but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Geolocation information — Location data generated by a consumer device capable of connecting to the Internet that directly identifies the precise physical location of the identified individual at particular times and that is compiled and retained. (example: GPS coordinates)
- Audio, electric, visual, thermal, olfactory, or similar information - This may include photos of individuals and voice recordings
- Professional or employment-related information — Including employment, and employment history
- Education information — Non-public records maintained by schools or other institutions (as defined by Family Educational Rights and Privacy Act)
- Inferences - Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- Device information and browser information - Information gathered in cookies (often third party cookies) that can be used by for digital fingerprinting
This is the definition of Personal Information — the information for which CCPA grants California consumers certain rights: the right to know, the right to request deletion, and the right to opt out of sales of your personal information.
Some information is excluded from this definition:
- “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
- De-identified or aggregated information is not considered personal information
GDPR vs. CCPA
If you’re already compliant with GDPR, you’ll find it a lot easier to become compliant with CCPA, but there’s still work to be done as GDPR has a narrower definition of personal information.
The CCPA covers “consumers” who are natural persons who reside in California, whereas the GDPR protects “data subjects,” who count as natural persons in the EU, and doesn’t identify specific residency or citizenship requirements.
Why This Matters To You
The first step to becoming compliant is understanding what personal information you store and where. If you haven’t already created a data map for your business, you will need to. If you did so for GDPR, you’ll probably need to increase the scope of any data management tools or processes to be more comprehensive. We’ll talk more about how to build a data map in future blog posts.