Question: What information is not “Personal Information” under the CCPA?

The CCPA excludes “publicly available information” from the types of “Personal Information” subject to the law, and it will also not apply to information that is excluded from the general application of the CCPA.

The CCPA defines “publicly available information” excluded from the law as “information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.”[1] This definition does not appear to be complete, but likely requires that any conditions associated with such information be satisfied in order to be considered “publicly available.” The definition may be clarified during the CCPA rulemaking process.

Note, the following types of information will not qualify as being “publicly available”: biometric information collected by a business about a consumer without the consumer’s knowledge; information that is used for a purpose not compatible with the purpose for which it is maintained in government records or made publicly available; and de-identified or aggregated consumer information.[2]

The CCPA will also not apply to the following[3]:

  1. Protected or health information collected by a covered entity governed by California’s Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the Health Insurance Portability and Availability Act of 1996 (“HIPAA”). For purposes of the exclusion, the definition of “medical information” in Section 56.05 of the Confidentiality of Medical Information Act and the definitions of “protected health information” and “covered entity” from the federal privacy rule will apply.
  2. The sale of personal information to or from a consumer reporting agency if the information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
  3. Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.
  4. Personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), if it is in conflict with that law.

For employers, the exclusion of information “governed by” HIPAA is a welcome and understandable exclusion, as “protected health information” is already subject to rigorous standards under HIPAA. This exclusion does, however, raise questions regarding the extent to which personal information will be considered “governed by” HIPAA for purposes of exempting it from the CCPA. For example, many employers do not consider group health plan enrollment information that is collected by employers from employees and transmitted to the group health plan to be “protected health information” subject to the requirements of HIPAA. The reason is they consider the information to belong to the employer, not the health plan. It is unclear when analyzing enrollment data for CCPA compliance if treating enrollment information as exempt from HIPAA would then make it be subject to the CCPA for California-based employees.

These types of considerations highlight the need for employers to conduct in-depth assessments of the types of employee information they collect and to adopt appropriately designed policies to comply with the CCPA.