The California Consumer Privacy Act (CCPA), the United States’s strictest and most comprehensive data privacy law, has the broadest definition of “personal information” of any law in effect—including the European Union’s General Data Protection Regulation (GDPR). The law is so sweeping that it includes 11 categories of personal information.
The CCPA aims to prevent the sale or sharing of California residents’ (“consumers”) personal information without their permission—but it protects more than the conventional types of “personal data” such as name, telephone number, and social security number. The law considers a person’s browsing and search history, geolocation data, biometrics, and other types of information that has not been “de-identified” to be worthy of regulation, as well.
What is Personal Information Under CCPA?
The CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
It establishes the following categories of personal information:
- Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Customer records information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information
- Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, age
- Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data
- Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information: Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences
The law also includes inferences that could be used to create a profile reflecting a consumer’s:
- Preferences
- Characteristics
- Psychological trends
- Predispositions
- Behavior
- Attitudes
- Intelligence
- Abilities
- Aptitudes
It gives the California attorney general the power to add categories of personal information to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
What is not considered personal information?
Personal information, also known as personally identifiable information (PII), refers to any data that can be used to identify a specific individual. Understanding what is not considered personal information can be just as important, especially in the context of privacy and data protection. Here are some examples of data typically not considered personal information:
- Aggregated Data: Information that has been compiled into data summaries, usually for the purposes of public reporting or statistical analysis. For example, a report stating that “60% of users prefer online shopping” does not contain personal information.
- Anonymized Data: This is data from which personal identifiers have been removed. If the process of anonymization is done properly, it should be impossible to link the data back to any individual.
- Public Information: Data that is already publicly available and can be accessed by anyone. For example, a published article or a phone number listed in a public directory.
- General Information: Information that is too broad or common to identify a specific individual, such as a first name without any additional context or demographic information.
- Business Contact Information: In some jurisdictions, the contact information used for business purposes (such as business phone number, address, or email) is not considered personal, especially when it’s used solely in a professional context.
- Random Data: Data that does not relate to or describe an individual, such as random alphanumeric sequences that are not linked to personal identifiers.
It’s important to note that the classification of information as personal or non-personal can depend on the context and the jurisdiction. For instance, in some cases, even seemingly non-personal information can become personal if it’s combined with other data that makes the individual identifiable.
Why the categories matter?
The CCPA establishes new consumer rights regarding personal information. Under the law, businesses that collect personal information from consumers must inform them at or before the time of collection that they are doing so. Businesses must disclose the categories of information they are collecting and the purpose for which it will be used.
Those businesses must also provide a “Do Not Sell My Personal Information” button or link on their website’s home page.
If it receives a verifiable consumer request, a business must respond with:
- Which categories of personal information it has collected about the consumer
- The categories of sources of that information
- Its business or commercial purpose for collecting or selling it
- Which categories of third parties, such as service providers, with which it shares personal information
- Specific pieces of personal information the business has collected about the consumer
When selling a consumer’s personal information or disclosing it for a business purpose, a business must disclose, upon request:
- The categories of personal information the business has collected about the consumer
- The categories of the consumer’s personal information the business has sold and the categories of third parties to which it sold the data
- Which categories of the consumer’s personal information the business has disclosed for a business purpose
Characteristics of Personal Data under the CCPA
The California Consumer Privacy Act (CCPA) is a comprehensive data privacy law that came into effect in California on January 1, 2020. It provides California residents with certain rights regarding their personal information held by businesses. Under the CCPA, personal data is defined with specific characteristics:
1. Identifiability: Personal information under the CCPA includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This broad definition ensures that a wide range of data types can be considered personal information.
2. Types of Information Included:
-
- Identifiers: This includes direct personal identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of Protected Classifications: Information related to characteristics of protected classifications under California or federal law, like race, religion, sexual orientation, gender identity, etc.
- Commercial Information: Including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric Information: Data generated from physical characteristics or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints.
- Internet or Other Electronic Network Activity Information: Such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation Data: Precise geographic location information about a particular individual or device.
- Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information: Essentially, any sensory data related to a consumer.
- Employment-related Information: Professional or employment-related information.
- Education Information: Information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA).
- Inferences Drawn from Personal Information: To create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
3. Exclusions: Publicly available information is not regarded as personal information under the CCPA. Publicly available means information that is lawfully made available from federal, state, or local government records.
4. Context-Dependent: The classification of data as personal information under the CCPA can depend on the context in which the data is used. If the data can be used to reasonably identify, relate to, describe, be associated with, or impact an individual or household, it’s likely to be considered personal data.
The CCPA’s definition of personal information is broad and inclusive, reflecting a growing trend in privacy laws to provide comprehensive protections for consumer data. Businesses subject to the CCPA must understand these definitions to ensure compliance with the law’s requirements.
Who Must Comply with CCPA?
The California Consumer Privacy Act (CCPA) applies to a specific set of businesses, regardless of their location, as long as they handle the personal data of California residents. The criteria for businesses that need to comply with the CCPA are as follows:
- Annual Gross Revenues: Businesses with annual gross revenues in excess of $25 million.
- Volume of Data: Companies that buy, receive, sell, or share for commercial purposes, the personal information of 50,000 or more California residents, households, or devices annually.
- Income from Selling Data: Businesses that derive 50% or more of their annual revenues from selling California residents’ personal information.
It is important to note that these criteria apply to businesses operating within California as well as those located outside California if they meet the above criteria in their dealings with California residents.
How Can My Company Comply with the CCPA?
Complying with the CCPA involves several steps to ensure that your business respects the privacy rights of California residents and adheres to the regulations. Here’s a guideline for compliance:
- Understand the Data You Collect: Identify the types of personal information your company collects, where it’s sourced from, how it’s used, and with whom it’s shared.
- Update Privacy Policies: Your privacy policy should reflect CCPA requirements. This includes informing consumers about their rights under the CCPA, the categories of personal information collected, the purposes for which the information is used, and the categories of third parties with whom the information is shared.
- Create Consumer Request Processes: Establish procedures to respond to consumer requests. Under CCPA, consumers have the right to know about, access, and delete their personal information, as well as the right to opt-out of the sale of their personal information.
- Implement Opt-Out Methods: Provide a clear and conspicuous “Do Not Sell My Personal Information” link on your website’s homepage, allowing consumers to opt-out of the sale of their personal information.
- Train Employees: Ensure that all employees handling consumer inquiries or responsible for CCPA compliance are well-trained and aware of the procedures and timelines for handling consumer rights requests.
- Data Security Measures: Implement reasonable security measures to protect the collected personal information from unauthorized access, destruction, or disclosure.
- Vendor Management: If you share personal information with service providers or third parties, ensure that they are also complying with CCPA requirements.
- Regular Compliance Audits: Regularly review and audit your data practices, privacy policies, and compliance processes to ensure ongoing adherence to CCPA standards.
- Prepare for Consumer Requests: Have a system in place to efficiently handle and respond to consumer requests within the CCPA’s specified timelines (45 days, extendable by another 45 days).
- Record-Keeping: Maintain records of consumer requests and how they were responded to for at least 24 months as required by the CCPA.
By diligently following these steps, companies can ensure they are in compliance with the CCPA, thereby protecting the privacy rights of California residents and avoiding potential penalties.
FAQs for CCPA
What is an Example of Personal Information Under the CCPA?
Under the California Consumer Privacy Act (CCPA), personal information is defined broadly to include any information that identifies, relates to, or could reasonably be linked with a specific individual or household. An example of personal information under the CCPA would be:
Detailed Example: John Doe, a resident of California, subscribes to an online shopping platform. The personal information collected by this platform about John could include his full name, home address, email address, phone number, credit card details, browsing history on the platform, purchase history, and geolocation data from his mobile device. The platform may also collect inferences drawn from this data to create a profile about John’s preferences and behavior.
All this data falls under the scope of personal information as defined by the CCPA.
This example illustrates how a range of identifiable data, including digital footprints and inferred profiles, is considered personal information under the CCPA.
What is a CCPA Notice at Collection of Personal Information?
A CCPA Notice at Collection of Personal Information is a disclosure requirement mandated by the CCPA. This notice must be provided to consumers at or before the point of collecting their personal information. The notice should include:
- Categories of Personal Information Collected: The notice must clearly list the categories of personal information that the business intends to collect.
- Purpose of Collection: The business must specify the purposes for which the collected personal information will be used.
- Information on Selling or Sharing: If the business sells or shares personal information, the notice must include this fact and provide information on how consumers can opt-out.
- Link to Privacy Policy: The notice should include a link to the business’s privacy policy, where consumers can get more detailed information about data handling practices.
The CCPA Notice at Collection serves to inform consumers upfront about what personal information is being collected and why, enhancing transparency and giving consumers a chance to make informed decisions.
What Categories of Personal and Private Information Can be Gathered?
Under the CCPA, a wide range of personal and private information can be gathered. These categories include, but are not limited to:
- Identifiers: Such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Characteristics of Protected Classifications: Including age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information.
- Commercial Information: Including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric Information: Data generated from physical characteristics or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints.
- Internet or Other Electronic Network Activity Information: Such as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement.
- Geolocation Data: Precise geographic location information about a particular individual or device.
- Audio, Electronic, Visual, Thermal, Olfactory, or Similar Information: Including images and audio, video or call recordings created in connection with a business’s activities.
- Professional or Employment-Related Information: Including current or past job history or performance evaluations.
- Education Information: Non-publicly available education information, like grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
- Inferences Drawn from Personal Information: Creating a profile about a consumer reflecting their preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
These categories highlight the breadth of information considered personal under the CCPA, emphasizing the need for businesses to be meticulous in their data collection and handling practices.
Rely on ZenGRC for CCPA Compliance
Relying on ZenGRC for CCPA compliance offers businesses a streamlined and efficient way to manage their privacy obligations. As a comprehensive governance, risk management, and compliance (GRC) solution, ZenGRC simplifies the complex process of adhering to the stringent requirements of the California Consumer Privacy Act (CCPA). It provides an intuitive platform for tracking and reporting on data protection practices, ensuring that all personal information is handled in compliance with CCPA regulations. With features like automated risk assessments and real-time compliance monitoring, ZenGRC helps businesses stay ahead of potential compliance issues. This proactive approach not only minimizes the risk of non-compliance but also instills confidence in customers that their personal data is being managed responsibly.