Data Security Law Blog

Part III: Our Last Look at the CCPA’s Definition of “Personal Information”

In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.

The CCPA excludes information that otherwise meets the definition of “personal information” if the information is already governed under specified federal or state statutes or regulations. Cal Civ. Code §§ 1798.145(c-f). The CCPA also adopts a narrower definition of “personal information” when conferring a private right of action in the context of a data breach. Id. § 1798.150; see id. § 1798.81.5(d)(1)(A). As we will discuss in a later post, when a private litigant files a data breach lawsuit, the CCPA’s definition of “personal information” isn’t in play but the narrower definition from the state’s existing data breach statute is used.

Our three-part series is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition, which is unprecedented in the United States. In Part II, we explored the law’s two explicit exclusions from the “personal information” definition for “publicly available” and “deidentified or aggregate consumer information,” noting the lack of clarity in the language of the law. Finally, we conclude our series with a look at the rest of the statute for exclusions from, and limitations to, the information covered under the CCPA.

Exclusions from the CCPA

As drafted, the CCPA contains a series of explicit exclusions from the entire law for information already covered under other state or federal statutes or regulations:

  • Medical information “governed” by California’s Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code § 56 et seq.), Cal. Civ. Code § 1798.145(c)(1)(A);
  • Protected health information (PHI) “collected” by a covered healthcare entity or business associate “governed” by the United States Department of Health and Human Services’ privacy, security, and breach notification rules pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), id.;
  • Clinical trial information “collected” under the Federal Policy for the Protection of Human Subject (the Common Rule) “pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration,” id. § 1798.145(c)(1)(C);
  • Personal information “sold” to, or from, a consumer reporting agency used to create a consumer report regulated by the federal Fair Credit Reporting Act (15 U.SC. § 1681, et seq.), Cal Civ. Code § 1798.145(d);
  • Personal information “collected, processed, sold, or disclosed pursuant to” the federal Gramm-Leach-Bliley Act of 1999 (GLBA) (Pub L. 106-102). GLBA, through the Federal Trade Commission’s Safeguards Rule and the Consumer Financial Protection Bureau’s Privacy Rule, generally requires businesses significantly engaged in financial activities to develop information security plans to protect customer information and provide notices and sometimes opt-outs regarding their customer and consumer information-sharing practices. Such information, however, is not exempt from the CCPA’s private right of action for data breaches, Cal Civ. Code § 1798.145(e);
  • Personal information “collected, processed, sold, or disclosed pursuant to” the California Financial Information Privacy Act (Cal. Fin. Code 4050 et seq.), but like GLBA, such information is not exempt from the CCPA’s private right of action for data breaches, Cal Civ. Code § 1798.145(e);
  • Personal Information “collected, processed, sold, or disclosed” under the federal Driver’s Privacy Protection Act of 1994 (18 U.SC. § 2721, et seq.), but again, such information is not exempt from the private right of action for data breaches, Cal Civ. Code § 1798.145(f).

The CCPA also excludes “patient information” maintained by a provider under the CMIA or by covered healthcare entities under HIPAA and HITECH to the extent that the providers or covered entities maintain that “patient information” in the same manner as their medical information under the CMIA or PHI under the privacy, security, and breach notification rules of HIPAA and HITECH. Id. § 1798.145(c)(1)(B).

Limited Definition in the Private Right of Action

The CCPA includes a limited private right of action, along with statutory damages of up to $750 “per consumer per incident or actual damages, whichever is greater,” for consumer’s whose personal information is breached as a result of a business’s violation of its duty to maintain reasonable security procedures and practices. Cal. Civ. Code § 1798.150. As we’ve noted, this section does not adopt the expansive definition of “personal information” of the CCPA but instead, explicitly adopts the more limited definition of “personal information” contained in California’s preexisting data breach law. Id.; see id. § 1798.81.5. That more limited definition covers:

  • an individual’s name along with a
    • social security, driver’s license, or California identification card number;
    • account, credit card, or debit card number, in combination with a code or password that would permit access to a financial account; or
    • medical or health insurance information, id.; or
  • a username or email address with a password or security question and answer that would permit access to an online account, § 1798.81.5(d)(1).

The CCPA thus does not provide a private right of action to consumers to enforce its expansive definition of “personal information,” as the rest of the statute is only enforceable by the California Attorney General. Id. § 1798.155(b).

This blog will continue in-depth coverage of the CCPA as the operative date, January 1, approaches.

We will discuss this private right of action in a later blog post.

This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.