by Craig A. Newman and Jonathan (Yoni) Schenker

The California Consumer Privacy Act (CCPA) is set to become “operative” on January 1, 2020.  As we have written[1] in earlier[2] blog[3] posts[4], the CCPA is the most sweeping consumer privacy law in the country.

And the CCPA isn’t set in stone. The California Attorney General’s office recently concluded a public comment period as it prepares to draft interpretative regulations mandated by the CCPA. Not surprisingly, industry lobbyists are out in full force advocating for the legislature to amend the law. Yet with January 1^st approaching, businesses potentially affected by the CCPA must start preparing for the law’s implementation.

In an effort to assist organizations in complying with the CCPA’s requirements – and all its moving pieces – we are taking a closer look over the next few months at key aspects of the law. In the event of changes to the CCPA, we will also highlight those on this blog.

Our first[5] installment looked at timing issues and when covered businesses should have their compliance programs up and running. Next[6] we examined which consumers and businesses were covered under the CCPA.

This is the first of three posts that consider the CCPA’s definition of “personal information.” Part I focuses on the information included in the statutory definition. Part II will discuss the flip side of the definition and the information specifically excluded from it. And Part III will look at information excluded in other sections of the statute.

The CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1)[7]. By any measure, this definition is broad. The law also sets forth a nonexclusive list of information included within the definition as examples of the sorts of data the CCPA considers covered by the definition.

Critics have pointed out that terms in the definition such as “is capable of being associated with” are overbroad and do not provide sufficient guidance to businesses. The inclusion of the term “household” has also come under fire as it is undefined and could lead information about one person in a household to be disclosed improperly to another person in that household, without limitations or other parameters. These criticisms have been expressed at the recent public forums on the CCPA held by the state’s AG and through public comments submitted to that office (transcripts of the forums and publicly filed comments on the CCPA can be found here[8]). At least one bill (AB 873[9]) has been introduced to, among other things, delete the words “is capable of being associated with” and “household” from the “personal information” definition.

As we’ve noted, the CCPA also provides a nonexclusive list of specific categories of information that are included within the definition. This list, made up of 11 separate categories, comprises the most expansive definition of “personal information” of any consumer privacy-related law in the United States. (There is some overlap in the statute between the categories, but in the following summary, we included each type of information only once.):

1. name or alias, address, IP address (another controversial inclusion), email, account name, and other identifiers such as social security, driver’s license, or passport number, § 1798.140(o)(1)(A);
2. “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to,” signature, physical characteristics, education, employment or employment history, and financial, medical or health insurance information, as well as the following numbers: telephone, insurance policy, bank account, credit card, and debit card, §§ 1798.140(o)(1)(B); 1798.80(e);
3. “[c]haracteristics of protected classifications under California or federal law,” § 1798.140(o)(1)(C);
4. commercial information, such as records of personal property, products or services purchased or considered, and purchasing histories or tendencies, § 1798.140(o)(1)(D);
5. biometric information, meaning physiological, biological, or behavioral characteristics, including DNA, sufficient to establish identity, such as images of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings capable of producing an identifier template, as well as keystroke and gait patterns or sleep, health, or exercise data that contain identifying information, §§ 1798.140(o)(1)(E), 1798.140(b);
6. internet or other network activity such as browsing history or interactions with websites, apps, or ads, id. 1798.140(o)(1)(f);
7. geolocation data, id. 1798.140(o)(1)(g);
8. “[a]udio, electronic, visual, thermal, olfactory, or similar information,” id.1798.140(o)(1)(h);
9. “professional or employment-related information,” id. 1798.140(o)(1)(I);
10. education information including the name or address of a student or family members, student number, date or place of birth, mother’s maiden name, handwriting, or other information that could identify a student with reasonable certainty, id.1798.140(o)(1)(j); 34 C.F.R. 99.3 (definitions of “personally identifiable information” and “biometric record”); and
11. inferences drawn from any of the above information to create a consumer profile, Cal. Civ. Code § 1798.140(o)(1)(k).

In our next installment, we’ll look at the statutory limitations placed on the definition of “personal information.”

Footnotes

[1] California Enacts Sweeping Consumer Privacy Law

[2] California’s New Privacy Law: A Closer Look

[3] What New York Businesses Need To Know About California’s New Data Privacy Law

[4] California Legislature Makes Last Minute Changes to New Data Privacy Law

[5] New Year’s Resolution 2019: Compliance With California’s Consumer Privacy Act

[6] A Closer Look at California’s New Privacy Regime: Two Critical Definitions

[7] California Consumer Privacy Act

[8] CCPA Current Rulemaking Activity

[9] California Consumer Privacy Act of 2018 Bill Text

This post was originally published on Patterson Belknap’s Data Security Law Blog.

Craig A. Newman is a partner and Jonathan (Yoni) Schenker is an associate at Patterson Belknap Webb & Tyler LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.