iWhat qualifies as deidentified information?
Deidentified information is defined within the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
-
Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
-
Has implemented business processes that specifically prohibit reidentification of the information.
-
Has implemented business processes to prevent inadvertent release of deidentified information.
-
Makes no attempt to reidentify the information.”[1]
The CPRA modified the definition of deidentified information by, among other things, removing the four conditions above and requiring that a business:
-
Take reasonable means to avoid the association of the information with a consumer or household.
-
Publicly commit (e.g., in a privacy policy) to maintain and use the information in deidentified form and not attempt to reidentify it.
-
Contractually obligate recipients of the information to abide by the same restrictions.[2]
The new definition of deidentified information will become operate in 2023.
Is an IP address considered personal information?
Maybe.
Personal information is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[3] While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably linked” with a particular person.[4] The CPRA does not impact the extent to which IP addresses are, or are not, considered personal information.
In order to determine whether an IP address is linked to a person, it is important to understand what an IP address represents. Computers that access the internet are assigned either a static or a dynamic Internet Protocol (IP) address. A static IP address does not change over time (i.e., it is dedicated to a particular computer, network, or user). A dynamic IP address is assigned by a network when a computer connects and, thus, changes over time (e.g., each time that the user reconnects to the network).
The California Attorney General was asked to clarify that IP addresses, could not, by themselves, constitute personal information under the CCPA, but refused to do so, stating only that such determination is a “fact-specific and contextual” determination.[5] When examining whether a static or a dynamic IP address constitutes personal information, California courts may look to how European regulators viewed IP addresses in the context of the European GDPR’s definition of “personal data” which is similar to (but not identical with) the CCPA’s definition of “personal information.”[6] The Article 29 Working Party took the position that because static IP addresses do not change, and IP addresses can be used to identify the computer (or user), “[t]he possibility exists in many cases . . . of linking the user’s IP address to other personal data . . . that identify him/her, especially if use is made of invisible processing means to collect additional data on the user (for instance, using cookies containing a unique identifier)….”[7] The Working Party further recognized that, because of the nature of dynamic IP addresses, in some cases “a third party can get to know the dynamic IP address of a user but not be able to link it to other data concerning this person that would make his/her identification possible.”[8]
Does the term personal information include information that a business obtains from government records?
Typically, no.
The CCPA excludes from the definition of “personal information” information that is “publicly available” and defines that term to mean “information that is lawfully made available from federal, state, or local government records.”[9]
Although the majority of information received from government records is, therefore, excluded from the definition of “personal information,” the California Attorney General has noted that “some information collected from government entities” is not “publicly available” and, therefore, still falls within the scope of “personal information.”[10] The California Attorney General did not, however, provide an example of such data.
Does the CPRA enlarge the list of data types that may qualify as personal information?
Yes.
The CPRA adds “sensitive personal information”[11] to the examples of data types that may constitute personal information. The term “sensitive personal information” is itself defined within the CPRA to include 20 data fields. Some, but not all, of these data fields already existed in the CCPA, and their inclusion with the personal information definition is, therefore, redundant. The following list identifies each data field classified as sensitive personal information.[12] Bolded items were already included as examples of personal information under the CCPA.
|
Data Fields Identified as “Sensitive Personal Information” Under the CPRA[13] |
|
Biometric information |
|
California Identification card number |
|
Contents of consumer’s email |
|
Contents of consumer’s mail |
|
Contents of consumer’s SMS texts |
|
Credit card number (with required security code or password) |
|
Debit card number (with required security code or password) |
|
Driver’s License Number |
|
Ethnic origin |
|
Financial account number (which permits access to the account) |
|
Genetic data |
|
Health information |
|
Passport number |
|
Philosophical beliefs |
|
Precise geolocation |
|
Racial origin |
|
Religious beliefs |
|
Sex life or sexual orientation |
|
Social Security Number |
|
Trade union membership |
[1] Cal. Civil Code 1798.140(h) (Oct. 2020).
[2] Cal. Civil Code 1798.140 (m).
[3] CCPA, Article 1798.140 (v)(1).
[4] CCPA, Article 1798.140 (v)(1).
[5] FSOR Appendix A at 4 (Response 15), 124 (Response 401), 236 (Response 689); FSOR Appendix E at 7 (Response 11).
[6] GDPR, Article 4(1).
[7] Article 29 Working Party, WP 37: Privacy on the Internet – An Integrated EU Approach to On-line Data Protection, at 21, adopted on Nov. 21, 2000.
[8] Article 29 Working Party, WP 37: Privacy on the Internet – An Integrated EU Approach to On-line Data Protection, at 21, adopted on Nov. 21, 2000.
[9] Cal. Civil Code 1798.140(o)(2) (Oct. 2020).
[10] FSOR Appendix A at 18 (Response 66).
[11] Cal. Civil Code 1798.140(v)(1)(L).
[12] In addition to expanding the examples of personal information, the CPRA imposes new obligations upon companies that use sensitive personal information for purposes other than those enumerated within the Act.
[13] Cal. Civil Code 1798.140(ae).
