CCPA Compliance: Are you Ready for PI 2.0? (5 Months to Go)
Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. See our prior alert here to see if CCPA applies to your business.
Under CCPA a business needs to track certain personal information to be able to honor consumer requests. Consumers may ask, for example, to know what information a business has on hand about them (among other rights*). CCPA also requires a business to secure personal information to help avoid an actionable data breach. The CCPA’s broad definition of personal information is unprecedented in existing US state privacy law. Consequently, CCPA may cause many businesses to reclassify certain information as personal information (“PI”). Welcome to PI 2.0.
What’s “new” in PI under CCPA? PI now includes content not always considered PI in the past such as:
1. data relating not only to an individual consumer, but also to households
2. online identifiers
3. geolocation data
4. IP addresses
5. Internet browsing or search history, including information regarding a consumer’s interaction with an Internet website, application, or advertisement
6. commercial information, including a consumer’s records of things purchased, considered, or other purchasing or consuming histories or tendencies
7. inferences drawn (e.g., predications about consumer or household preferences or tendencies)
8. audio, electronic, visual, thermal, olfactory, or similar information
Why are these definitional changes significant?
• Businesses subject to CCPA now have new compliance obligations. Some action items may include:
a) Many businesses will need to revise their posted privacy policies and internal processes to account for the broader definition of PI under CCPA (as part of otherwise working to have policies and processes that comply with CCPA).
b) They will have to determine whether to apply the broad treatment of PI in California across their data subjects in the US (even if not required in other states) if it would be too cumbersome to isolate PI subject to CCPA from other PI those businesses maintain.
c) Businesses may also desire to evaluate whether the new CCPA requirements make raising a claim under their cyber liability insurance harder and how to compensate for that possibility.
d) Businesses may need to amend vendor contracts to account for an updated definition of PI (as part of otherwise addressing whether the vendor contracts comply). See our prior vendor contracts alert here.
CCPA expands the types of data that businesses must treat as PI. Under CCPA, this expanded definition of PI is used for purposes of allowing consumers to exercise their CCPA rights*. This definition is very broad compared to existing PI definitions in the US, many of which are found in data breach notification laws. Under US state data breach laws, data is considered PI if it contains both an identifying factor and an account number or other sensitive personal data element.
• For example, in California what is PI for purposes of determining whether a data breach occurred means an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) social security number, (ii) driver’s license number or California identification card number, (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, (iv) medical information, or (v) health insurance information.
• CCPA itself relies on California’s separate data breach law definition of PI to determine what would be an actionable data breach under CCPA. That’s good news because an actionable data breach exposing a business to liability in California applies to a narrow subset of PI. However, it doesn’t change the fact that a business otherwise must apply CCPA’s other requirements to a broad and vast amount of individuals’ data.
* CCPA gives data subjects, with some exceptions, the rights to (i) be informed if their personal information is sold or disclosed, (ii) approve of the sale of their personal information, (iii) demand deletion of the information, (iv) opt-out and (v) be protected from discrimination if they exercise their privacy rights.
This overview does not substitute for considering CCPA’s requirements in their entirety.