I remember one of my teachers in grade school asking the question, "How do you eat an elephant?" His answer: "One bite at a time." was a revalation to me at the time. Looking back over my life, it is mind boggling how often that single statement has provided access to action in my life. A big, intimidating topic like the California Consumer Privacy Act (2018), complete with it's significant fines and private right of actions requires an access to action and I suggest it be considered one section at a time.
The Attorney General of California has released the text of Proposed Regulations on Oct 11, 2019, just in time for organizations to completly re-think their management of data (collection, storage, sharing, selling, etc) prior to the law coming into force Jan 1, 2020. Let's break the 24 pages down and add some comments/editorial to help organizations head down this road.
The first Section is definitions. An obvious missing is the definition of Personal Information in the context of California law. Clarip describes it as follows:
The California Consumer Privacy Act protects the personal information of California residents, referred to by the privacy law as consumers. To clarify to businesses precisely what they need to protect, the CCPA contains a definition of personal information. However, the breadth of the definition means that businesses need to protect a broad range of information and may need to make judgment calls about information on the periphery.
The definition of personal information in the CCPA includes 11 categories, which can be summarized as:
2) Select Information in Customer Records
3) Legally Protected Characteristics
4) Commercial Purchasing Information
5) Biometric Information
6) Internet or Network Activity
8) Information Typically Detected by the Senses
9) Employment Information
10) Education Information
11) Inferences from Above Used to Profile
However, this is really only the beginning as the definition of personal information is not limited to these categories. Personal information includes anything that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
There are several exclusions from the definition of personal information. One of them is that it does not include deidentified or aggregate consumer information. It also does not include publicly available information, which is defined as information lawfully made available from federal, state, or local government records.
Some of the specific data identified as personal information:
– real name,
– postal address,
– unique personal identifier,
– online identifier,
– Internet Protocol address,
– email address,
– account name,
– social security number,
– driver’s license number,
– passport number, or
– other similar identifiers.
2) Information in Customer Records:
– social security number,
– physical characteristics or description,
– telephone number,
– passport number,
– driver’s license or state identification card number,
– insurance policy number,
– employment history,
– bank account number,
– credit card number,
– debit card number,
– financial information,
– medical information,
– health insurance information.
6) Internet Activity:
– browsing history,
– search history,
– information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
8) Information Detected by the Senses (this moniker is not listed in the CCPA but seems to fit well):
– similar information.
The Attorney General has the power to add additional categories of personal information in regulations issued after the solicitation of broad public participation in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
Areas of Controversy
There are at least several major areas of controversy around the definition of personal information at the moment.
The first is that there has been testimony in legislative hearings from proponents of the bill after the CCPA passed that IP address alone is not considered as personal information. This has been in response to criticism that there really is no true carve out for small businesses since many businesses with less than $25 million in revenue will hit the data collection threshold. If a consumer’s IP address alone is considered personal information under the bill, then a website server which is collecting that information in its server logs will only need 137 visitors a day from California to reach the CCPA threshold and become a covered business. Many people read the CCPA as covering all collection of IP addresses, but some proponents have testified otherwise.
The second is that the personal information of employees is included within the scope of the law. AB-25 is a proposed bill in the California Assembly that would remove employees from the definition of consumer and end the controversy. We will be closely following the bill to see whether it is approved by the California legislature. In the latest version of AB-25 up for a possible Senate floor vote, employee data is excluded from the CCPA for a one year period so that consumer advocates and business groups can determine how to appropriately protect employee data privacy.
Another area of controversy has been the inclusion of households within the definition of personal information. Businesses have publicly noted the problem with this for the right to access and right to delete and asked for guidance during the rulemaking process from the California Attorney General.
Now lets review Section 1, including more definitions:
Article 1 - General Provisions
§ 999.300. Title and Scope
A The California Consumer Protection Act (CCPA) do not limit any other rights a consumer may have
B Violations of these regulations could results in fines or a private right of action as described.
§ 999.301. Definitions
In addition to the definitions set forth in Civil Code section 1798.140, for purposes of these regulations:
(a) “Affirmative authorization” means an action that demonstrates the intentional decision by the consumer to opt-in to the sale of personal information. Within the context of a parent or guardian acting on behalf of a child under 13, it means that the parent or guardian has provided consent to the sale of the child’s personal information in accordance with the methods set forth in section 999.330. For consumers 13 years and older, it is demonstrated through a two-step process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.
(b) “Attorney General” means the California Attorney General or any officer or employee of the California Department of Justice acting under the authority of the California Attorney General.
(c) “Authorized agent” means a natural person or a business entity registered with the Secretary of State that a consumer has authorized to act on their behalf subject to the requirements set forth in section 999.326.
(d) “Categories of sources” means types of entities from which a business collects personal information about consumers, including but not limited to the consumer directly, government entities from which public records are obtained, and consumer data resellers.
(e) “Categories of third parties” means types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers.
(f) “CCPA” means the California Consumer Privacy Act of 2018, Civil Code sections 1798.100 et seq.
(g) “Financial incentive” means a program, benefit, or other offering, including payments to consumers as compensation, for the disclosure, deletion, or sale of personal information.
(h) “Household” means a person or group of people occupying a single dwelling.
(i) “Notice at collection” means the notice given by a business to a consumer at or before the time a business collects personal information from the consumer as required by Civil Code section 1798.100(b) and specified in these regulations.
(j) “Notice of right to opt-out” means the notice given by a business informing consumers of their right to opt-out of the sale of their personal information as required by Civil Code sections 1798.120 and 1798.135 and specified in these regulations.
(k) “Notice of financial incentive” means the notice given by a business explaining each financial incentive or price or service difference subject to Civil Code section 1798.125(b) as required by that section and specified in these regulations.
(l) “Price or service difference” means (1) any difference in the price or rate charged for any goods or services to any consumer, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any difference in the level or quality of any goods or services offered to any consumer, including denial of goods or services to the consumer.
(n) “Request to know” means a consumer request that a business disclose personal information that it has about the consumer pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:
(1) Specific pieces of personal information that a business has about the consumer;
(2) Categories of personal information it has collected about the consumer;
(3) Categories of sources from which the personal information is collected;
(4) Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
(5) Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
(6) The business or commercial purpose for collecting or selling personal information.
(o) “Request to delete” means a consumer request that a business delete personal information about the consumer that the business has collected from the consumer, pursuant to Civil Code section 1798.105.
(p) “Request to opt-out” means a consumer request that a business not sell the consumer’s personal information to third parties, pursuant to Civil Code section 1798.120(a).
(q) “Request to opt-in” means the affirmative authorization that the business may sell personal information about the consumer required by Civil Code section 1798.120(c) by a parent or guardian of a consumer less than 13 years of age, or by a consumer who had previously opted out of the sale of their personal information.
(r) “Third-party identity verification service” means a security process offered by an independent third party who verifies the identity of the consumer making a request to the business. Third-party verification services are subject to the requirements set forth in Article 4 regarding requests to know and requests to delete.
(s) “Typical consumer” means a natural person residing in the United States.
(t) “URL” stands for Uniform Resource Locator and refers to the web address of a specific website.
(u) “Verify” means to determine that the consumer making a request to know or request to delete is the consumer about whom the business has collected information.
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100-1798.199, Civil Code.
While not exhaustive, this sets a context for the language used in the CCPA Proposed Regulations
Our next chapter deals with Article 2 - Notices to Consumers - Part 2 - Notices at Collection