by Craig A. Newman and Jonathan (Yoni) Schenker

In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.

The CCPA excludes information that otherwise meets the definition of “personal information” if the information is already governed under specified federal or state statutes or regulations. Cal Civ. Code §§ 1798.145(c-f)[1]. The CCPA also adopts a narrower definition of “personal information” when conferring a private right of action in the context of a data breach. Id. § 1798.150; see id. § 1798.81.5(d)(1)(A). As we will discuss in a later post, when a private litigant files a data breach lawsuit, the CCPA’s definition of “personal information” isn’t in play but the narrower definition from the state’s existing data breach statute is used.

Our three-part series is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I[2], we explored the breadth of the definition, which is unprecedented in the United States. In Part II[3], we explored the law’s two explicit exclusions from the “personal information” definition for “publicly available” and “deidentified or aggregate consumer information,” noting the lack of clarity in the language of the law. Finally, we conclude our series with a look at the rest of the statute for exclusions from, and limitations to, the information covered under the CCPA. Continue reading →

by Craig A. Newman and Jonathan (Yoni) Schenker

 Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part [1], we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.” 

The CCPA excludes two categories of information from its definition of “personal information”: “publicly available information” and “consumer information that is deidentified or aggregate consumer information.” Cal Civ. Code § 1798.140(o)(2) [2]. As we discuss below, the statute’s definitions of both terms are far from clear, and as with other aspects of the CCPA, interpretative regulations will be useful in assisting businesses as they work their way through both exceptions. Continue reading →

 by Craig A. Newman and Jonathan (Yoni) Schenker

The California Consumer Privacy Act (CCPA) is set to become “operative” on January 1, 2020.  As we have written[1] in earlier[2] blog[3] posts[4], the CCPA is the most sweeping consumer privacy law in the country.

And the CCPA isn’t set in stone. The California Attorney General’s office recently concluded a public comment period as it prepares to draft interpretative regulations mandated by the CCPA. Not surprisingly, industry lobbyists are out in full force advocating for the legislature to amend the law. Yet with January 1^st approaching, businesses potentially affected by the CCPA must start preparing for the law’s implementation.

In an effort to assist organizations in complying with the CCPA’s requirements – and all its moving pieces – we are taking a closer look over the next few months at key aspects of the law. In the event of changes to the CCPA, we will also highlight those on this blog. Continue reading →