by Craig A. Newman and Jonathan (Yoni) Schenker
In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.
The CCPA excludes information that otherwise meets the definition of “personal information” if the information is already governed under specified federal or state statutes or regulations. Cal Civ. Code §§ 1798.145(c-f)[1]. The CCPA also adopts a narrower definition of “personal information” when conferring a private right of action in the context of a data breach. Id. § 1798.150; see id. § 1798.81.5(d)(1)(A). As we will discuss in a later post, when a private litigant files a data breach lawsuit, the CCPA’s definition of “personal information” isn’t in play but the narrower definition from the state’s existing data breach statute is used.
Our three-part series is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I[2], we explored the breadth of the definition, which is unprecedented in the United States. In Part II[3], we explored the law’s two explicit exclusions from the “personal information” definition for “publicly available” and “deidentified or aggregate consumer information,” noting the lack of clarity in the language of the law. Finally, we conclude our series with a look at the rest of the statute for exclusions from, and limitations to, the information covered under the CCPA. Continue reading