Part I: A Closer Look at California’s New Privacy Regime: The Definition of “Personal Information”
The California Consumer Privacy Act (CCPA) is set to become “operative” on January 1, 2020. As we have written in earlier blog posts, the CCPA is the most sweeping consumer privacy law in the country.
And the CCPA isn’t set in stone. The California Attorney General’s office recently concluded a public comment period as it prepares to draft interpretative regulations mandated by the CCPA. Not surprisingly, industry lobbyists are out in full force advocating for the legislature to amend the law. Yet with January 1st approaching, businesses potentially affected by the CCPA must start preparing for the law’s implementation.
In an effort to assist organizations in complying with the CCPA’s requirements – and all its moving pieces – we are taking a closer look over the next few months at key aspects of the law. In the event of changes to the CCPA, we will also highlight those on this blog.
Our first installment looked at timing issues and when covered businesses should have their compliance programs up and running. Next we examined which consumers and businesses were covered under the CCPA.
This is the first of three posts that consider the CCPA’s definition of “personal information.” Part I focuses on the information included in the statutory definition. Part II will discuss the flip side of the definition and the information specifically excluded from it. And Part III will look at information excluded in other sections of the statute.
The CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1). By any measure, this definition is broad. The law also sets forth a nonexclusive list of information included within the definition as examples of the sorts of data the CCPA considers covered by the definition.
Critics have pointed out that terms in the definition such as “is capable of being associated with” are overbroad and do not provide sufficient guidance to businesses. The inclusion of the term “household” has also come under fire as it is undefined and could lead information about one person in a household to be disclosed improperly to another person in that household, without limitations or other parameters. These criticisms have been expressed at the recent public forums on the CCPA held by the state’s AG and through public comments submitted to that office (transcripts of the forums and publicly filed comments on the CCPA can be found here). At least one bill (AB 873) has been introduced to, among other things, delete the words “is capable of being associated with” and “household” from the “personal information” definition.
As we’ve noted, the CCPA also provides a nonexclusive list of specific categories of information that are included within the definition. This list, made up of 11 separate categories, comprises the most expansive definition of “personal information” of any consumer privacy-related law in the United States. (There is some overlap in the statute between the categories, but in the following summary, we included each type of information only once.):
A. name or alias, address, IP address (another controversial inclusion), email, account name, and other identifiers such as social security, driver’s license, or passport number, id. § 1798.140(o)(1)(A);
B. “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to,” signature, physical characteristics, education, employment or employment history, and financial, medical or health insurance information, as well as the following numbers: telephone, insurance policy, bank account, credit card, and debit card, id. §§ 1798.140(o)(1)(B); 1798.80(e);
C. “[c]haracteristics of protected classifications under California or federal law,” id. § 1798.140(o)(1)(C);
D. commercial information, such as records of personal property, products or services purchased or considered, and purchasing histories or tendencies, id. § 1798.140(o)(1)(D);
E. biometric information, meaning physiological, biological, or behavioral characteristics, including DNA, sufficient to establish identity, such as images of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings capable of producing an identifier template, as well as keystroke and gait patterns or sleep, health, or exercise data that contain identifying information, id. §§ 1798.140(o)(1)(E), 1798.140(b);
F. internet or other network activity such as browsing history or interactions with websites, apps, or ads, id. § 1798.140(o)(1)(f);
G. geolocation data, id. § 1798.140(o)(1)(g);
H. “[a]udio, electronic, visual, thermal, olfactory, or similar information,” id. § 1798.140(o)(1)(h);
I. “professional or employment-related information,” id. § 1798.140(o)(1)(I);
J. education information including the name or address of a student or family members, student number, date or place of birth, mother’s maiden name, handwriting, or other information that could identify a student with reasonable certainty, id. § 1798.140(o)(1)(j); 34 C.F.R. 99.3 (definitions of “personally identifiable information” and “biometric record”); and
K. inferences drawn from any of the above information to create a consumer profile, Cal. Civ. Code § 1798.140(o)(1)(k).
In our next installment, we’ll look at the statutory limitations placed on the definition of “personal information.”
This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.