The California Consumer Privacy Act (CCPA) gives California residents more control over how their personal information is collected, maintained, sold, and shared by businesses. Because the data privacy law applies only to consumers’ “personal information,” it is critically important to understand what that term means and what it does not include.
The CCPA's definition of personal information is very broad: “Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It can be anything from an IP address to geolocation data to browsing history. Because of this, it’s helpful to focus on what kind of consumer data the CCPA tells us is not personal information. There are a few key exemptions; one of the most important is for “publicly available information.”
The definition of publicly available information was broadened significantly by the California Privacy Rights Act (CPRA), sometimes called CCPA 2.0. Though these changes do not go into effect until January 1, 2023, they are worth discussing here in order to help businesses begin planning for future CCPA compliance.
The statutory definition is as follows (with changes from the CPRA in italics):
Information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
This creates two major categories of publicly available information—information from government records and information made available to the general public—and an exclusion for biometric information collected without the consumer’s knowledge.
Until January 1, 2023, publicly available information is defined exclusively as information lawfully made available from federal, state, and local government records. It’s a relatively narrow definition, but could include a wide variety of information. For example, a business could check local property records to compile a list of homeowners and even learn about their mortgages, if that information is reported in public filings.
The current law also states that personal data is not publicly available if “used for a purpose that is not compatible with the purpose for which the data is maintained and made available.” It’s not clear what kind of purposes would be incompatible, and no guidance has been provided by CCPA regulations. This clause will be removed from the statute when the CPRA becomes effective at the start of 2023.
With the language added by the CPRA, a lot more information will be considered publicly available beginning January 1, 2023. There are many ways information could be “made available to the general public by the consumer or from widely distributed media,” but by far the most common manner will be social media posts and online profiles.
Under this new provision, it appears that social media posts are fair game when it comes to collecting, storing, selling, and sharing consumer data. Businesses do not need to disclose the use of this information or include it when responding to consumer requests, such as a request to delete. This even extends to information contained in posts made by people other than the consumer.
There do seem to be limits, however. Both the “general public” and “not restricted to a specific audience” language suggest that if a social media post or account were set to private, then that information may not be considered to be publicly available.
For example, if a social media company scans publicly available photos with its facial recognition technology, the faceprints (a type of biometric data) would also seem to be publicly available information as long as the company had properly disclosed the collection beforehand.
Personal information does not include “lawfully obtained, truthful information that is a matter of public concern.” Though technically not a type of publicly available information, this exemption was added to the same section of the statute by the CPRA. Its purpose appears to be avoiding conflict between the CCPA and free speech protections. For example, without this exemption, someone might try to use the CCPA to force a newspaper to delete all personal information about them, or attempt to characterize journalism as a sale of personal information.
The first step toward becoming CCPA compliant is creating a data map of the personal information your business collects from consumers and discloses to outside parties. An important part of this process will be determining what qualifies as personal information and what falls under an exemption like publicly available information.
TrueVault Polaris guides your business through every step of CCPA compliance, including categorizing consumers’ personal information. Contact us today to get started.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.