Updated November 30, 2020.
CCPA’s definition of personal information is a groundbreaking legal advance in the US, as California becomes the first state in the nation to endow its residents with enforceable rights and ownership over their own data.
In this blogpost, we dive into the specifics of the CCPA’s personal information provision.
What’s the exact definition? What are some concrete examples of CCPA’s personal information? And what does the CCPA say about the use of personal information on websites?
Find the answers and become compliant with Cookiebot.
In the CCPA, personal information is defined as:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
According to the CCPA, person information is a broad category of all kinds of data ranging from the most straight-forward and intuitive personal data to things that might not at first sight seem like personal data at all.
A list of what is defined under the CCPA as personal information includes:
In the CCPA, personal information has no format or medium limitation, which means that even pictures or sounds can qualify as personal information, if they fall under the definition in the law.
However, the definition in CCPA of personal information does not include de-identified/anonymized information, as well as aggregate information (i.e. information about multiple users that does not contain personally identifiable information) – with the exception of household data, which we’ll look at in a minute.
On August 14, 2020, the final CCPA regulations were approved and took effect immediately.
This means that enforcement can now begin.
If you haven’t made sure your website is compliant with the CCPA, now is to time to take action.
The new California Privacy Rights Act (CPRA) was passed into law in the General Election on November 3, 2020.
The California Privacy Rights Act (CPRA) amends and expands the existing data privacy regime under the CCPA – giving new rights to California residents, strengthening business requirements and creating a whole new government agency responsible for enforcement.
The California Privacy Rights Act (CPRA) will take effect on January 1, 2023 with a look-back period to January, 2022, and will enter into full enforcement on July 1, 2023.
CCPA’s personal information definition includes anything that can reasonably lead to the identification of an individual.
Using data (that is in itself not personal data) to draw inferences for the purpose of creating profiles on consumers, consisting of consumer behavior, convictions, preferences, intelligence, abilities and characteristics can be considered by CCPA as personal information.
This expansive definition in the CCPA of PII is a crucial leap for US data privacy, because it directly relates to the billion-dollar ad tech industry of behavioral advertisement based on persona data collection that studies show Americans are worried about and want regulated.
It means that using e.g. cookies, web beacons and social media plugins on your website can be a liability under the CCPA, if you or third parties either directly collect personal information through such means, or if you or third parties collect data that can be used to create identifiable profiles for the purpose of personalized advertisement.
In other words, if data has the potential to ultimately result in the identification of an individual, it can be deemed personal information under the CCPA, since the law defines personal information as “reasonably capable" of being linked to an individual or a household.
CCPA’s personal information definition is as broad as the European GDPR’s.
In more words, CCPA’s personal information definition includes not only data that identifies, but data that makes the identification possible.
This includes website cookies, browser history and website analytics, such as monitoring user behavior on a domain (how long their mouse hovers on what, scroll speed, clicks and more), since these could, through combination and inference, lead to the identification of an individual.
In the CCPA, personal information also covers a subgroup of data called household information.
Household information has been discussed vigorously since the CCPA passed into law and criticized for its ambivalent nature.
The CCPA’s personal information definition does not further specify what household data means or how it should be enforced.
However, the final CCPA regulations define household as:
”a person or group of people who reside at the same address, share a common device or the same service provided by a business and are identified by the business as sharing the same group account or unique identifier.”
Try a free website scan with Cookiebot today to find all cookies and trackers on your domain that collect and process personal information of your end-users.
If your business has a website, it is almost certain that you one way or another collect what is defined in the CCPA as personal information.
Given the broad definition in the CCPA of personal information, first and third party cookies can be deemed indirect identifiers, reasonably capable of identifying an individual through the collection of personal information such as browser history, cross-site tracking, IP addresses, other behavioral data that trackers and plugins on your website collect on your end-users.
Cookiebot ensures full transparency and CCPA compliance for businesses and their websites.
An important part of being compliant with the CCPA is for a business to know the exact make-up of its website – what cookies and trackers are hiding behind its surface and what third parties are in operation collecting personal information (for which the business is liable).
With the CCPA, personal data is no longer a commodity that businesses can trade and sell without any thought for the consumer. In California, personal information is becoming owned by the end-users themselves.
Cookiebot works to protect privacy and human autonomy on our digital infrastructures, and we are thrilled to see strong data privacy laws emerging around the world – from Europe to the US.
Cookiebot is a compliance solution for CCPA and GDPR – depending on what configuration you and your business needs and where in the world your end-users are located.
Cookiebot scans your website, uncovers all cookies and trackers in place and blocks them all from collecting personal information, until your end-users have given their consent to which trackers, they will allow activated, as is the strong privacy requirements of the European GDPR.
Cookiebot also supports the CCPA requirement of having a Do Not Sell My Personal Information link on a business’ website.
Cookiebot enables CCPA compliance through our consent management platform (CMP).
Try Cookiebot for free today if your business and its websites have visitors from the EU or from California, whose personal information you collect through cookies, trackers and social media plugins on your domains.
This way, you can ensure transparency and the protection of privacy for your end-users, as well as become CCPA compliant.
Personal information is defined as any information that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes names, addresses, social security numbers, driver’s license, location data, sensitive information about personal characteristics, religious or political convictions, sexual orientation, as well as internet activity such as browsing history, search history, IP addresses and more.
Yes. Under the CCPA, cookies are classified as unique or persistent identifiers because of their ability to collect and process information that can be used to identify or reidentify a California resident. Most third-party cookies on websites will assign Unique IDs to a user’s browser that can be used to track the user across the Internet and across devices.
Companies and for-profit organizations that meet any of the following thresholds are defined as a business under the CCPA and must comply with the law, no matter where in the world they are located: have an annual gross revenue of more than $25 million, derive 50% or more of its annual revenues from selling consumers’ personal information or buy, receive, sell or share the personal information of 50.000 or more California residents per year.
Cookies are notoriously difficult to manage, since a large part are secretly loaded by other third-party cookies, and a majority of these will have changed on repeated visits. Using a consent management platform (CMP) that can scan and detect all cookies and trackers, then automatically control them until your users give their choice of consent or opt out can help make your website compliant with the CCPA.