Data Security Law Blog

Part II: A Closer Look at the CCPA’s Definition of “Personal Information”

 

Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.” 

The CCPA excludes two categories of information from its definition of “personal information”: “publicly available information” and “consumer information that is deidentified or aggregate consumer information.” Cal Civ. Code § 1798.140(o)(2). As we discuss below, the statute’s definitions of both terms are far from clear, and as with other aspects of the CCPA, interpretative regulations will be useful in assisting businesses as they work their way through both exceptions.

“Publicly Available”

By its plain language, the CCPA excludes publicly available information from the definition of “personal information,” meaning such information is not covered under the law. Id. The CCPA defines “publicly available” as information that is lawfully available from government records, but adds the following caveat: “if any conditions associated with such information.” Id. Not surprisingly, public comments on the law are quick to point out that the language appears to be missing key words, and in its current form, is next to impossible to interpret. There are at least two proposed amendments to the CCPA that would delete this additional language rather than try to reconcile it. (AB 874; AB 1760).

The CCPA also limits its definition of “publicly available” by carving out information used for a purpose “not compatible with the purpose for which the data is maintained and made available” publicly by the government. Cal. Civ. Code § 1798.140(o)(2). Again, many of the public comments criticized the carve out as vague. Specifically, the law does not explain how businesses should determine either the “purpose” for which a government entity maintained data, or whether the business was using that information for a purpose “compatible” with the government’s purpose. AB 874 also proposes the removal of this confusing exclusion to the definition of “publicly available.”

“Deidentified” and “Aggregate Consumer Information”

The CCPA is also widely understood to exempt from the definition of “personal information” “deidentified” information and “aggregate consumer information.” Cal. Civ. Code § 1798.140(o)(2). The law defines information as “deidentified” if it “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer” and a business using such information complies with the following factors:

  1. implements technical safeguards against reidentification;
  2. implements business processes prohibiting reidentification;
  3. implements business processes preventing inadvertent release of the deidentified information; and
  4. makes no attempt to reidentify the information. Id. § 1798.140(h).

The CCPA defines “aggregate consumer information” as information relating to a group or category of consumers with individual consumer identities removed “that is not linked or reasonably linkable to any consumer or household, including via a device.” Id. § 1798.140(a).

The reason we posit that the statute is “widely understood” to exempt these categories of information is that there is an apparent typo that clouds the exemption: Rather than exempt “deidentified or aggregate consumer information” from the definition of “personal information,” the law exempts “deidentified or aggregate consumer information” from the definition of “publicly available.” Id. § 1798.140(o)(2). If it was not a typo, this exemption would be superfluous, as there is no reason to exempt deidentified or aggregate information from the definition of “publicly available.”

Moreover, other sections of the statute make clear that the drafters intended a broad exemption for deidentified and aggregate information: The CCPA explicitly says that it is not restricting covered businesses’ ability to “[c]ollect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.” Id. § 1798.145(a)(5). The law also makes clear three times that it does not require covered businesses “to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.” Id. §§ 1798.145(i); 1798.100(e); see also id. 1798.110(d)(2). Several recently proposed amendments to the bill attempt to correct this typo by replacing the words “publicly available” with “personal information,” including AB 874 and AB 1355. And several public commenters request the state AG clarify that deidentified and aggregate information are clearly excluded from the definition of “personal information.”

Some public comments also decry the “narrow” definition of “deidentified,” which could be read as inconsistent with similar definitions under the Health Insurance Portability and Accountability Act of 1996, or HIPAA, and Europe’s General Data Protection Regulation, or GDPR, affecting information that is already deidentified in compliance with those frameworks. A pending bill, AB 873, proposes changes to the definition of “deidentified” so that it conforms with the U.S. Federal Trade Commission’s broader definition of the term from its 2012 report “Protecting Consumer Privacy in an Era of Rapid Change” at 22. The FTC’s definition of “deidentified” excludes data from its data privacy framework if it meets a three-part test:

  1. a given data set is not reasonably identifiable;
  2. the company with the deidentified data publicly commits not to reidentify it; and
  3. the company requires any downstream users of the data to keep it deidentified.

In our third and final installment in this series, we will look at other sections of the CCPA that exclude information from the CCPA’s coverage.

This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.