The starting point for determining a consumer’s rights and a business’s obligations under the CCPA is forming a clear understanding of what “personal information” refers to under the law.
The CCPA offers an incredibly broad definition of personal information. It captures just about any information that can individually identify a consumer and/or information that a business can use to track and predict consumer behavior.
This approach makes sense, as certain types of personal information are extremely important to individuals for privacy and security reasons (i.e., social security number, account passwords), and many types of information are extremely valuable to businesses (i.e., a consumer’s purchasing history, how the consumer interacts with digital advertisements, and the consumer’s browsing history). All of this information (and much, much more) is considered “personal information” under the CCPA.
The CCPA helpfully organizes many examples of personal information into categories:
- Identifiers — real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Other personal information — signature, physical characteristics or description, telephone number
- Financial information — bank account number, credit card number, debit card number, insurance policy number
- Medical information
- Health information
- Protected class information under California or Federal law — race, color, sex, age (40 and older), religion, national origin, citizenship status, genetic information, sexual orientation, gender identity or gender expression, ancestry, HIV/AIDS, disability, marital status, familial status, military or veteran status, political affiliations or activities, status as victim of domestic violence, assault, or stalking
- Commercial information — records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information — an individual's physiological, biological, or behavioral characteristics; including an individual's DNA, that can be used, singly or in combination with each other, or with other identifying data, to establish an individual identity
- Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted; and keystroke patterns, rhythms, and sleep, health, or exercise data that contain identifying information.
- Internet or other electronic network activity information — including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement
- Geolocation information — location data generated by a consumer device, capable of connecting to the Internet, that directly identifies the precise physical location of the identified individual at particular times, and that is complied and retained (for example, GPS coordinates)
- Audio, electronic, visual, thermal, olfactory, or similar information — this may include photos of individuals, and voice recordings
- Professional or employment-related information — including current employment, and employment history
- Education information — non-public records maintained by schools or other institutions (as defined by the Family Educational Rights and Privacy Act)
- Inferences — inferences drawn from other personal information reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
- Unique or online identifiers, such as cookies and other tracking technologies
It is important to note that personal information applies not only to information about individual consumers, but also to households.
Almost as important as the question “what is personal information” is the question “what is not considered personal information under the CCPA?” The reason this question is so important is that any information that does not fit the definition of “personal information” is not subject to the disclosure requirements in the CCPA.
Personal information does not include:
- Information lawfully made available to the public from government records, whether federal, state or local.
- Any consumer information that is de-identified or aggregated.
- This may be an important exclusion for some businesses. It means that any information that is not kept in a manner that allows it to reasonably be linked to any particular consumer or household is not subject to the disclosure requirements under the CCPA because it does not fall under the definition of “personal information.” Any business for which this is a relevant consideration should closely read the CCPA’s definition of “deidentified” and “aggregate consumer information.”