Updated November 30, 2020.
CCPA’s definition of personal information is a groundbreaking legal advance in the US, as California becomes the first state in the nation to endow its residents with enforceable rights and ownership over their own data.
In this blogpost, we dive into the specifics of the CCPA’s personal information provision.
What’s the exact definition? What are some concrete examples of CCPA’s personal information? And what does the CCPA say about the use of personal information on websites?
Find the answers and become compliant with Cookiebot consent management platform (CMP).
CCPA personal information definition
In the CCPA, personal information is defined as:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
According to the CCPA, person information is a broad category of all kinds of data ranging from the most straight-forward and intuitive personal data to things that might not at first sight seem like personal data at all.
A list of what is defined under the CCPA as personal information includes:
- Direct identifiers such as real name, alias, postal address, social security numbers, driver’s license, passport information and signature.
- Indirect identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names…
- Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data…
- Geolocation data such as location history via devices,
- Internet activity such as browsing history, search history, data on interaction with a webpage, application or advertisement.
- Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information.
In the CCPA, personal information has no format or medium limitation, which means that even pictures or sounds can qualify as personal information, if they fall under the definition in the law.
However, the definition in CCPA of personal information does not include de-identified/anonymized information, as well as aggregate information (i.e. information about multiple users that does not contain personally identifiable information) – with the exception of household data, which we’ll look at in a minute.
Enforcement of the CCPA has begun!
On August 14, 2020, the final CCPA regulations took effect and enforcement began.
If you haven’t made sure your website is compliant with the CCPA, now is to time to take action.
Learn more about the final CCPA regulations
The California Privacy Rights Act (CPRA) has been passed into law
The new California Privacy Rights Act (CPRA) was passed into law in the General Election on November 3, 2020.
The California Privacy Rights Act (CPRA) amends and expands the existing data privacy regime under the CCPA – giving new rights to California residents, strengthening business requirements and creating a whole new government agency responsible for enforcement.
The California Privacy Rights Act (CPRA) will take effect on January 1, 2023, with a look-back period to January, 2022, and will enter into full enforcement on July 1, 2023.
Learn more about the California Privacy Rights Act (CPRA)
CCPA personal information examples
Using data (that is in itself not personal data) to draw inferences for the purpose of creating profiles on consumers, consisting of consumer behavior, convictions, preferences, intelligence, abilities and characteristics can be considered by CCPA as personal information.
This expansive definition in the CCPA of PII is a crucial leap for US data privacy, because it directly relates to the billion-dollar ad tech industry of behavioral advertisement based on persona data collection that studies show Americans are worried about and want regulated.
It means that using e.g. cookies, web beacons and social media plugins on your website can be a liability under the CCPA, if you or third parties either directly collect personal information through such means, or if you or third parties collect data that can be used to create identifiable profiles for the purpose of personalized advertisement.
What does the CCPA say about cookies?
In other words, if data has the potential to ultimately result in the identification of an individual, it can be deemed personal information under the CCPA, since the law defines personal information as “reasonably capable“ of being linked to an individual or a household.
In more words, CCPA’s personal information definition includes not only data that identifies, but data that makes the identification possible.
This includes website cookies, browser history and website analytics, such as monitoring user behavior on a domain (how long their mouse hovers on what, scroll speed, clicks and more), since these could, through combination and inference, lead to the identification of an individual.
CCPA household data definition
In the CCPA, personal information also covers a subgroup of data called household information.
Household information has been discussed vigorously since the CCPA passed into law and criticized for its ambivalent nature.
The CCPA’s personal information definition does not further specify what household data means or how it should be enforced.
However, the final CCPA regulations define household as:
”a person or group of people who reside at the same address, share a common device or the same service provided by a business and are identified by the business as sharing the same group account or unique identifier.”
Learn more about the final CCPA regulations and enforcement
Try a free website scan with Cookiebot CMP today to find all cookies and trackers on your domain that collect and process personal information of your end-users.
Cookiebot CMP, CCPA and personal information
If your business has a website, it is almost certain that you one way or another collect what is defined in the CCPA as personal information.
Learn more about CCPA compliance
Given the broad definition in the CCPA of personal information, first and third party cookies can be deemed indirect identifiers, reasonably capable of identifying an individual through the collection of personal information such as browser history, cross-site tracking, IP addresses, other behavioral data that trackers and plugins on your website collect on your end-users.
An important part of being compliant with the CCPA is for a business to know the exact make-up of its website – what cookies and trackers are hiding behind its surface and what third parties are in operation collecting personal information (for which the business is liable).
With the CCPA, personal data is no longer a commodity that businesses can trade and sell without any thought for the consumer. In California, personal information is becoming owned by the end-users themselves.
CCPA compliance with Cookiebot CMP
Our solution works to protect privacy and human autonomy on our digital infrastructures, and we are thrilled to see strong data privacy laws emerging around the world – from Europe to the US.
Our CMP is a compliance solution for CCPA and GDPR – depending on what configuration you and your business needs and where in the world your end-users are located.
Cookiebot scans your website, uncovers all cookies and trackers in place and blocks them all from collecting personal information, until your end-users have given their consent to which trackers, they will allow activated, as is the strong privacy requirements of the European GDPR.
We also support the CCPA requirement of having a Do Not Sell My Personal Information link on a business’ website.
Try Cookiebot CMP for free today if your business and its websites have visitors from the EU or from California, whose personal information you collect through cookies, trackers and social media plugins on your domains.
This way, you can ensure transparency and the protection of privacy for your end-users, as well as become CCPA compliant.
FAQ
What is personal information under the CCPA?
Personal information is defined as any information that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes names, addresses, social security numbers, driver’s license, location data, sensitive information about personal characteristics, religious or political convictions, sexual orientation, as well as internet activity such as browsing history, search history, IP addresses and more.
Are cookies defined as personal information under the CCPA?
Yes. Under the CCPA, cookies are classified as unique or persistent identifiers because of their ability to collect and process information that can be used to identify or reidentify a California resident. Most third-party cookies on websites will assign Unique IDs to a user’s browser that can be used to track the user across the Internet and across devices.
Who needs to comply with the CCPA?
Companies and for-profit organizations that meet any of the following thresholds are defined as a business under the CCPA and must comply with the law, no matter where in the world they are located: have an annual gross revenue of more than $25 million, derive 50% or more of its annual revenues from selling consumers’ personal information or buy, receive, sell or share the personal information of 50,000 or more California residents per year.
How can I control cookies on my website?
Cookies are notoriously difficult to manage, since a large part are secretly loaded by other third-party cookies, and a majority of these will have changed on repeated visits. Using a consent management platform (CMP) that can scan and detect all cookies and trackers, then automatically control them until your users give their choice of consent or opt out can help make your website compliant with the CCPA.
Resources
How does a business become CCPA compliant?
What are the differences between the CCPA and EU’s GDPR?