The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
What is “personal Information?”
The CCPA defines the phrase “personal information” as referring to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1
The CCPA’s definition of “personal information” is not identical to the definition used within the European GDPR, but there are obvious similarities. The GDPR refers to the term “personal data” which it defines as “any information relating to an identified or identifiable” person.2 An “identifiable person” under the GDPR is someone who could be “identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”3
While it is difficult to identify data types that would fall under the CCPA’s definition of “personal information,” and would not fall under the GDPR’s definition of “personal data” (or vice versa) one category of information stands out. The CCPA does not cover any “publicly available information” a term which is itself narrowly defined as referring only to “information that is lawfully made available from federal, state, or local government records.”4 So, for example, under the CCPA the ownership of a residence (a matter of public record) would not be considered “personal information” whereas such information would be considered “personal data” under the GDPR.