A Little Privacy Please? (Part 2)
California’s new consumer privacy law uncovered, Part 2
In this second part of our four-part series on California’s Consumer Privacy Act (the “Act”), which is effective January 1, 2020, we break down the Act’s expanded definition of “personal information” and identify some of the Act’s limitations and exemptions.
1. CCPA Broadly Defines Personal Information
While we will discuss the rights granted to consumers in greater detail in Part 3 of our series on the Act, a brief introduction to those rights provides context for our discussion today. The Act is intended to better protect a consumer’s personal information by granting consumers specific rights related to information collected, shared, or maintained by covered businesses.[1] Under the Act, consumers will have a right to request information about the specific pieces of “personal information” a business collects, the purposes for which it is being used, and whether the business is selling their personal information. What is more, the Act will empower consumers to request that the business delete their personal information.[2]
The Act broadly defines “personal information” (“PI”) to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
PI includes, but is not limited to, the following: (a) names and other identifiers such as IP addresses; account names; driver’s license and passport numbers; (b) characteristics of protected classifications under California or federal law; (c) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (d) biometric information; (e) internet browser and search history, interaction with a website, application, or advertisement; (f) location information; (g) audio, electronic, visual or similar information; (h) professional or employment-related information; (i) educational information; and (j) inferences drawn from any of the above information to create a profile about a consumer.
The Act seeks to strike a balance between the competing interests of consumer privacy groups and the business, telecommunications, and technology industries. However, the broad definition of PI seems to ensure that consumer privacy interests are well-represented.
2. Limitations of the CCPA
Despite the Act’s broad definition of PI, the Act carves out certain exceptions to minimize its impact on certain covered business operations. Thus, the Act will not restrict a business’s ability to:
comply with federal, state, or local laws,
comply with civil, and criminal investigations and process,
cooperate with law enforcement,
exercise or defend legal claims,
collect, use retain, sell or disclose consumer information that is de-identified or in the aggregate consumer information; or
collect or sell a consumer’s PI if every aspect of that commercial conduct takes place entirely outside of California.
There a couple of key exceptions listed above. First, the Act’s requirements do not apply to consumer information that is de-identified or in the aggregate. De-identified consumer information is that which cannot be reasonably identified or be linked to a particular person while aggregate consumer information is not linked or reasonably linkable to any consumer or household, including via a device. In other words, a business may collect, use retain, sell or disclose that information under the Act. Businesses may also collect or sell consumer information so long as the organization collected the PI while the consumer was outside of the state, no part of the sale occurred within the state, and no PI collected while the consumer was in California is sold.
3. Exemptions to the Act
The CCPA also does not apply to personal information protected by certain federal laws that are collected, disclosed, or sold for business purposes. This personal information includes protected health information under HIPAA and the HITECH Act and consumer reports under the Fair Credit Reporting Act. The Act also does not apply to personal information collected, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act if it is in conflict with that law.
If you have any questions concerning whether the Act applies to your business and the consumer information it collects, uses, sells or discloses, please reach out to an MLG attorney to assist you.
[1] Please refer to Part 1 of this series for the full definition of “covered business.”
[2] Please visit this site for more information, including the full text of the Act.
Read the full series:
Part 1: Addresses businesses and consumers are covered under the CCPA.
Part 2: The CCPA’s expanded definition of “personal information”, and some of its limitations and exemptions.
Part 3: Covered Businesses’ obligations to consumers under the CCPA.
Part 4: The CCPA’s enforcement framework and penalties for violations.
Amendments: What you should know about the September 2018 Amendments to the CCPA.
Author: Caitie Emmett, Associate.
The Maier Law Group helps companies ensure that their policies and practices comply with the relevant workplace regulations. Please contact us at info@maierlawgroup.com for more information.
This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.