When it comes to the California Consumer Privacy Act (CCPA), what constitutes “personal information” is one of its most important concepts. All of businesses’ obligations and consumers’ rights under the data privacy law center around the collection and use of consumers’ personal information, so understanding what the term means is one of the first steps toward CCPA compliance.
The CCPA’s definition of personal information is incredibly broad. Arguably, it is even broader than the General Data Protection Regulation’s (GDPR) definition of “personal data.” Using the most recent statutory language, personal information is:
Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
It’s a very inclusive definition that is designed to catch any and every kind of information that is connected to an individual or household. Luckily, the CCPA also has a helpful list of examples. These examples include:
Bearing in mind there are potentially other categories of personal information not included in this list, it should at least give you a sense of the wide variety of data that falls under the CCPA.
With so much data being defined as personal information by the CCPA, it is helpful to look at what the law specifically says is not personal information. There are two main categories of exemptions: publicly available information and deidentified or aggregate consumer information.
Publicly available information originally only included information lawfully made available from federal, state, or local government records. The California Privacy Rights Act (CPRA), effective January 2023, significantly expands this to include two more types of publicly available information. The first is “lawfully obtained, truthful information that is a matter of public concern”—an exemption that covers information collected for journalistic purposes. The second is “information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media.” This is important because it covers public consumer data collected from social networks.
Deidentified or aggregate consumer information is data that cannot be linked to a particular consumer or household. Examples include a consumer profile from which all identifiers have been removed, or website usage statistics, such as total homepage visits, that can’t be linked to any identified individual.
In order to avoid conflicting regulatory schemes, the CCPA makes exemptions for personal information that is already covered by other state and federal laws. The three most important are:
To the extent that personal information is already regulated by these laws and businesses are in compliance with them, the CCPA does not apply.
The CPRA also adds a new category of personal information: sensitive personal information. This accompanies a new consumer right granted by the CPRA, the right to limit use and disclosure of sensitive personal information. It includes:
The new privacy right means that, with regard to sensitive personal information, consumers can request business to limit its use and disclosure to what is “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.” In order to comply with such a request, any business that collects or uses sensitive personal information will need to track it separately in their data map.
Businesses are collecting more consumer data than ever, and with such a large part of it being considered personal information by the CCPA, getting compliant can be a complicated task. Assigning an internal staff member to make your business CCPA compliant can easily lead to weeks or even months of lost productivity as they try to familiarize themselves with the law, and can potentially result in expensive mistakes. Hiring a compliance attorney may be faster, but generally costs tens of thousands of dollars.
TrueVault Polaris combines the convenience of the in-house approach with the expertise of hiring outside help. A software-based compliance automation tool, TrueVault Polaris guides your business every step of the way to get you compliant in less time and at a fraction of the cost of other solutions. Contact our team today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.