The CCPA excludes from the definition of “personal information” information that is “publicly available” and defines that term to mean “information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.”1
The CCPA was put together quickly (in approximately one week). Given its hasty drafting, there are a number of instances in which the act is at best ambiguous and at worst unintelligible. The definition of “publicly available” may be one of those instances. Specifically, the definition of publicly available seems to be missing a direct object following the introductory phrase “if any conditions associated with such information.” While presumably the drafters intended the phrase to state “if any conditions associated with such information imposed by a government agency are satisfied” the incomplete conditional clause has yet to be interpreted by courts or the California Attorney General.
The CCPA adds additional ambiguity to the treatment of information derived from publicly available government records by further stating that information “is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records for which it is publicly maintained.”2 Based upon this language, it is not clear whether a business’s use has to be “compatible” with the purpose for which the government agency originally maintained the data, or only with the purpose for which the business collected (and then maintained) the data. As an example, a municipal tax authority may make available public records reflecting tax assessments on real property (e.g., the names of the owners of real property, their land valuation, and their tax assessment), and as the only condition indicate that a business may not use the information to harass a property owner. It is uncertain whether a court would examine whether the business’s use is “compatible” with the purpose of the government agency (e.g., imposing taxes) or with the purpose of the business as permitted by the government agency (e.g., any business purpose that does not involve harassment). Assuming that a court looked to the government’s purpose, it is equally unclear what it means to be “compatible” with that purpose. It is unlikely that a court would interpret compatibility as meaning that the business must share the same purpose as to do so would typically negate any plausible business purpose (i.e., no business shares a purpose of imposing taxes). It is more likely that a court would interpret “compatibility” based upon its plain meaning of permitting two things to exist or occur together without conflict. Under that definition arguably any use by a business of such data would be “compatible” (even if it the business’s purpose is unrelated to the government purpose) so long as the business’s purpose does not (1) interfere with the government purpose by, for example, preventing the collection of taxes, or (2) interfere with any condition placed on the data by the government (i.e., involve harassment). As a result, a business that downloaded tax assessment data in order to perform analytics (e.g., compute average assessment values by block, or zip code) would have a purpose that is “compatible” with the government’s purpose in assessing property taxes, as would a business that downloaded the same tax assessment data to send marketing communications to home owners.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.