Updated December 6, 2019.
CCPA’s definition of personal information is a groundbreaking legal advance in the US, as California becomes the first state in the nation to endow its residents with enforceable rights and ownership over their own data.
In this blogpost, we dive into the specifics of the CCPA’s personal information provision.
What’s the exact definition? What are some concrete examples of CCPA’s personal information? And what does the CCPA say about the use of personal information on websites?
Find the answers and become compliant with Cookiebot.
In the CCPA, personal information is defined as:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
According to the CCPA, PII (or personally identifiable information) is a broad category of all kinds of data ranging from the most straight-forward and intuitive personal data to things that might not at first sight seem like personal data at all.
A list of what is defined under the CCPA as personal information includes:
In the CCPA, personal information has no format or medium limitation, which means that even pictures or sounds can qualify as personal information, if they fall under the definition in the law.
However, the definition in CCPA of personal information does not include de-identified/anonymized information, as well as aggregate information (i.e. information about multiple users that does not contain personally identifiable information) – with the exception of household data, which we’ll look at in a minute.
CCPA’s personal information definition includes anything that can reasonably lead to the identification of an individual.
Using data (that is in itself not personal data) to draw inferences for the purpose of creating profiles on consumers, consisting of consumer behavior, convictions, preferences, intelligence, abilities and characteristics can be considered by CCPA as personal information.
This expansive definition in the CCPA of PII is a crucial leap for US data privacy, because it directly relates to the billion-dollar ad tech industry of behavioral advertisement based on persona data collection that recent surveys show Americans are worried about and want regulated.
It means that using e.g. cookies, web beacons and social media plugins on your website can be a liability under the CCPA, if you or third parties either directly collect personal information through such means, or if you or third parties collect data that can be used to create identifiable profiles for the purpose of personalized advertisement.
In other words, if data has the potential to ultimately result in the identification of an individual, it can be deemed personal information under the CCPA, since the law defines personal information as “reasonably capable" of being linked to an individual or a household.
CCPA’s personal information definition is as broad as the European GDPR’s.
In more words, CCPA’s personal information definition includes not only data that identifies, but data that makes the identification possible.
This includes website cookies, browser history and website analytics, such as monitoring user behavior on a domain (how long their mouse hovers on what, scroll speed, clicks and more), since these could, through combination and inference, lead to the identification of an individual.
In the CCPA, personal information also covers a subgroup of data called household information.
Household information has been discussed vigorously since the CCPA passed into law and criticized for its ambivalent nature.
The CCPA’s personal information definition does not further specify what household data means or how it should be enforced.
However, the proposed enforcement regulations from the Attorney General of California defines household as:
“a person or a group of people occupying a single dwelling.”
The draft regulations published by the Attorney General specifies that businesses are allowed to provide household information to consumer requests as aggregate data, in case the requests come from accounts without password protection.
The CCPA draft regulations also specify that all members of a household must make a request for disclosure and/or deletion of the household information, before a business has to comply.
Upon such a joint request, businesses are forced to respond, if they can verify individually all the members of that household.
The Attorney General’s draft regulation on CCPA’s personal information definition, among other things, will be up for public debate December 6, after which a second draft will likely be issued.
The deadline for the enforcement regulations to be in place is July 2020.
Try a free website scan with Cookiebot today to find all cookies and trackers on your domain that collect and process personal information of your end-users.
If your business has a website, it is almost certain that you one way or another collect what is defined in the CCPA as personal information.
Dive deeper into the CCPA, personal data and compliance here.
Given the broad definition in the CCPA of personal information, first and third party cookies can be deemed indirect identifiers, reasonably capable of identifying an individual through the collection of personal information such as browser history, cross-site tracking, IP addresses, other behavioral data that trackers and plugins on your website collect on your end-users.
Cookiebot ensures full transparency and CCPA compliance for businesses and their websites.
An important part of being compliant with the CCPA is for a business to know the exact make-up of its website – what cookies and trackers are hiding behind its surface and what third parties are in operation collecting personal information (for which the business is liable).
With the CCPA, personal data is no longer a commodity that businesses can trade and sell without any thought for the consumer. In California, personal information is becoming owned by the end-users themselves.
Cookiebot works to protect privacy and human autonomy on our digital infrastructures, and we are thrilled to see strong data privacy laws emerging around the world – from Europe to the US.
Cookiebot is a compliance solution for CCPA and GDPR – depending on what configuration you and your business needs and where in the world your end-users are located.
Cookiebot scans your website, uncovers all cookies and trackers in place and blocks them all from collecting personal information, until your end-users have given their consent to which trackers, they will allow activated, as is the strong privacy requirements of the European GDPR.
Cookiebot also supports the CCPA requirement of having a Do Not Sell My Personal Information link on a business’ website.
Cookiebot enables CCPA compliance for businesses from January 1, 2020.
Try Cookiebot for free today if your business and its websites have visitors from the EU or from California, whose personal information you collect through cookies, trackers and social media plugins on your domains.
This way, you can ensure transparency and the protection of privacy for your end-users, as well as become CCPA compliant.