CCPA Definitions
A consumer under the CCPA is any permanent California resident.
Don’t let the word “consumer” fool you.
Any permanent California resident has rights under the CCPA — employees and customers — even if they’re traveling out-of-state on business or a family vacation, which means segmenting your customers by login location won’t necessarily work.
Companies, like Overstock, Drift, Revolve and Microsoft, have decided to solve this problem by treating all Americans as California residents.
All of the CCPA requirements center around whether or not a business is collecting or processing personal information.
Personal Identifiable Information (PII) refers to information that identifies, relates to or describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Note: Household is loosely defined in the CCPA. It could refer to two non-family members sharing an apartment or only family members.
What are the CCPA categories of Personal Information?
Note: This list is not exhaustive and any ONE “match” satisfies the definition above. For example, an email address, such as [email protected], could be personal information by itself because it tells us a person and her employer.
Personal Identifiers
Personal Identifiers (PID) are a subset of personally identifiable information (PII) data elements, which identify a unique individual and can permit another person to “assume” that individual’s identity without their knowledge or consent.
Examples of Personal Identifiers:
- Real name,
- alias,
- postal address,
- unique personal identifier, (see below)
- online identifier,
- IP address,
- email address,
- account name,
- social security number,
- driver’s license number,
- passport number
Unique Personal Identifiers:
A unique personal identifier is a consistent identifier that can be used to recognize a consumer, a family or a device that’s linked to a consumer or family over time and across services.
Examples of Unique Personal Identifiers:
- Device identifiers
- IP addresses
- Cookies
- Beacons
- Pixel tags
- Mobile ad identifiers
- Customer number
- Unique pseudonym / User alias
- Telephone numbers
Commercial Information
Commercial information refers to an individual’s purchasing behavior, history or tendencies.
Examples of Commercial Information:
- Personal property records
- Previous purchases
- Considerations of purchases
- Any other purchasing or consumption histories or tendencies
Biometric Information
Biometric information refers to an individual’s physiological, biological or behavioral characteristics.
Examples of Biometric Information:
- Individual’s DNA that can be used, singly, or in combination with other identifiers to establish individual identity.
- Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns and voice recordings, from which the identifier template, such as a faceprint, a minutiae template or a voiceprint, can be extracted
- Keystroke patterns or rhythms
- Sleep, health or exercise data that contain identifying information
Computer Activity
Computer activity refers to any Internet or other electronic network activity information.
Examples:
- Browsing history
- Search history
- Information regarding a consumer’s interaction with a website, app or ad.
More categories
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, etc.
- Professional information or employment-related history
- Educational-related information that is not publicly available personally identifiable information as defined by the Family Educational Rights and Privacy Act
Inferences based on PII
Personal Identifiable Information (PII) is defined as: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
Further, PII is defined as information:
- that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.)
- by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).
- permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.
Any inferences drawn from any of the information identified in this subdivision to create a consumer profile that includes consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Exceptions to the above PII categories
Public records
Publicly available information that is made available to the public from the federal, state or local government is NOT covered by the CCPA provided that its use is compatible with the purpose for which the data is maintained and made available by the government records.
A consumer’s biometric information WITHOUT the consumer’s consent is not deemed publicly available.
Deidentified Information
Deidentified information is information that can’t reasonably identify, relate to, describe, be capable of being associated with or be linked to, directly or indirectly, to a specific consumer, provided that the business using the information:
- Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain
- Has implemented business processes that specifically prohibit reidentification of the information
- Has implemented business processes to prevent inadvertent release of deidentified information
- Makes no attempt to reidentify the information
The challenge for businesses is determining whether information can NOT reasonably “be capable of” being associated with a particular consumer, directly or indirectly, especially in a world where technology makes it extremely easy to recreate an individual’s identity from disparate sources of data.
Aggregate consumer information
Aggregate consumer information is defined as information that relates to a group or category of consumers, from which the consumers’ identities have been removed or is not linked, or reasonably linkable to any consumer or household, including via a device.
“Collect” and “Sell” information defined
Collection: “Buying, renting, gathering, obtaining, receiving or accessing any personal information related to a consumer by any means.” It includes any information you receive — actively, passively or by observing consumer behavior.”
Sale: “Selling, renting, releasing, disclosing disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means” the PI of a consumer to another business or third-party “for monetary or other valuable consideration.”
IMPORTANT NOTE: Because the definition is broad, assume that a “sale” could have occurred if it’s provided as part of a bigger business deal, even if no money is directly given for the information. Also, a website could be considered “selling” information simply by passing data to third-party ad networks through cookies.
The following are exceptions to the “sale” definition.
- A consumer uses or directs the business to intentionally disclose PI to a third-party. Intentional, meaning when the consumer intends to interact with the third-party via one or more deliberate actions. Hovering over a piece of content or closing it does NOT qualify as a “deliberate action.”
- A business shares a consumer identifier to alert a third-party of a consumer’s opt-out decision.
- Personal information is shared with a third-party for a “business purpose.” Business purpose means the business has provided notice of the sharing and opt-out right as described below; and the third-party does not further collect, sell or use the PI except as necessary to perform the business purpose.
- The personal information is an asset that is part of a merger, acquisition or bankruptcy or another transaction in which the third-party assumes control of all or part of the business, provided that the business complies with the CCPA disclosure requirements relating to the disclosure of information collected or sold (discussed below).
- If the business acquiring the data plans to use or share the data in a way that’s inconsistent with what consumers were told their data would be used for at the time of collection, then it must provide prior written notice of the new practices to the consumer and include a “prominent and robust” notice so the consumer can opt out.