The definition of personal information under the CCPA and how data must be handled is crucial for legal professionals to understand today.
It doesn’t seem like all that long ago when “privacy” meant adding your landline to the national “Do Not Call. List.”
Yet, in this modern era where data is the new currency, the California Consumer Privacy Act (CCPA) affords much greater protections than we ever could have imagined.
Enacted in 2018 (and effective as of January 1, 2020), the CCPA represents a significant step in the area of privacy laws and is so powerful that it is strikingly influential not just for California but for the entire nation.
Indeed, as the strictest privacy law in the U.S., the CCPA has drawn parallels to the European Union’s General Data Protection Regulation (GDPR).
Importantly, the CCPA not only allows consumers in California to find out what information a business is holding about them, but it also allows them to opt out of certain uses of their personal information. Those two key aspects of the legislation are the focus of this article.
Specifically, the two questions we’ll address today are: (1) what kind of personal information is covered under the Act?; and (2) how can consumers avoid having that information used? We’ll finish off by providing practical tips for how you can help your business clients stay in compliance with this comprehensive Act.
There’s a lot to wade through here, so let’s get to it.
CCPA personal information definition
Central to the CCPA is its definition of personal information (PI). The definition of PI under the act is crucial because it determines the scope of consumer privacy rights and business obligations.
Unlike narrower interpretations in previous privacy laws, the CCPA adopts a broad scope, encompassing a wide array of data types.
From traditional identifiers like names, addresses, and fingerprints to digital identifiers like IP addresses and geolocation data, the CCPA’s definition extends to any information that can be linked, directly or indirectly, to a particular consumer or “household” (see below).
This expansive approach aims to grant consumers significant control over their personal data. Importantly, however, PI under the CCPA is more than just personal information. Here’s what we mean by that:
The household conundrum
One aspect of the CCPA’s definition of PI that poses unique challenges is the interpretation of “household.” This term, while seemingly straightforward, carries significant implications in the context of data privacy.
Under the CCPA, a “household” is a group of people residing at the same address who share common devices or services.
This definition broadens the scope of personal information protection to include collective data associated with a household, rather than just individual data – yet another indication of the act’s comprehensive approach to privacy.
The inclusion of households becomes even more striking when you consider CCPA’s additional protections.
But wait, there’s more
The CCPA doesn’t just protect data-based information about individuals and households.
Indeed, according to a March 10, 2022 opinion from the California Attorney General, the act also protects inferences that can be drawn from that personal information to create a profile about a consumer (or, presumably, a household full of consumers).
These inferences are crucial as they contribute to a “consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” (California Civil Code, § 1798.140(v)(1)(K).)
Like it or not, this kind of profiling is often used by businesses for targeted advertising, marketing strategies, or predictive analytics.
The inclusion of inferences in the definition of personal information is significant. It recognizes that the value and sensitivity of data lie not just in the raw information collected but also in how it is analyzed and used to draw conclusions about consumers.
By categorizing inferences as personal information, the CCPA aims to give consumers more control over how businesses interpret and use their data, not just the data itself.
This approach reflects a growing awareness of the impacts of data-driven decision-making and the potential for misuse in profiling and automated decision-making processes.
The “right to be forgotten”
In light of the CCPA’s expansive definitions of PI, it’s clear that the California legislature is keen on protecting consumers. At the heart of the CCPA’s consumer-centric approach is the “right to be forgotten,” also known as the “right to erasure” or “right to delete”.
This provision allows individuals to request businesses to delete their personal information, presenting unique compliance challenges.
For companies, especially those using large consumer data sets or employing deep neural networks for data analysis, this right requires the development of new strategies and technologies to efficiently locate and delete individual data without disrupting overall operations.
California lawyers advising businesses on CCPA compliance need to be aware of these technical complexities.
They must guide clients on implementing systems and procedures that can handle such requests effectively while maintaining the integrity of their broader data operations. Let’s take a look at some of the key issues here.
Balancing erasure rights with data retention needs
The “right to be forgotten” under the CCPA introduces a delicate balance for businesses between honoring erasure requests and retaining data for legal, security, or operational necessities.
While consumers have the right to have their personal information deleted, many businesses must also consider regulatory obligations for record-keeping, which might necessitate holding onto certain data.
Additionally, data retention can be crucial for security purposes, like auditing or fraud prevention.
Consider the Sarbanes-Oxley Act (SOX). Enacted in 2002 in response to major corporate and accounting scandals, SOX mandates strict retention policies for business records, particularly for those related to finance and auditing.
Under SOX, public companies are required to maintain and accurately report financial records and audits for at least five years. Yet if consumers decide to invoke their data erasure rights under the California law, SOX could potentially conflict with CCPA.
In this context, a business subject to SOX must carefully assess whether the requested data is integral to their financial records or audits. If so, the company may need to retain this data despite the CCPA request, due to the overriding legal requirement of SOX.
This exemplifies the complex interplay between consumer privacy laws and other regulatory mandates that businesses – and their lawyers – must navigate.
Complexities of erasure in cloud storage and machine learning
Another challenging scenario involving the right to erasure under the CCPA arises in cloud storage and machine learning contexts. Consider, for example, a cloud service provider storing personal data across multiple global data centers. When a consumer exercises their right to be forgotten, locating and erasing every instance of this data becomes a complex task due to data replication and backup processes inherent in cloud architectures.
Similarly, in machine learning, data once used for training algorithms becomes intricately woven into the model’s fabric. Erasing an individual’s data post-training doesn’t straightforwardly extract their influence from the model. For instance, if a consumer requests deletion of their data used in a credit scoring algorithm, simply removing their data doesn’t undo their impact on the algorithm’s existing learned patterns and predictions.
It’s enough to make your head spin, isn’t it? So, let’s talk about what you can do to assist your business clients in this environment.
Practical tips for legal compliance
As California lawyers counsel businesses’ compliance with these key provisions of the CCPA, a strategic, multi-faceted approach is essential. Here are key practical tips to navigate the complexities of the CCPA:
Develop comprehensive compliance policies
Begin by helping businesses establish clear CCPA compliance policies. This includes mapping out data flows, understanding where and how personal information is stored and processed, and categorizing data based on CCPA requirements. Lawyers should advise on policies that distinguish between personal information, household information, and inferences, ensuring each category is managed in accordance with the CCPA.
Stay involved in client efforts to train employees
It’s crucial for your business clients to train their staff on the subtleties of the CCPA – in fact, employee training is required by the Act. Ideally, you will be involved in developing this training from a compliance standpoint. Your training materials should cover the broad definition of personal information, the rights of consumers, and the business’s specific processes for CCPA compliance. Employees should be made aware of the importance of data privacy and their role in maintaining compliance.
Prepare for the right to erasure
Lawyers should guide businesses in setting up processes to handle the right to erasure effectively. This includes establishing clear protocols for identifying and removing personal information upon request, while balancing the need for data retention for legal or operational reasons. Encourage the development of technologies that can surgically remove data without disrupting the broader dataset, especially in complex environments like SOX-regulated businesses, cloud storage, or machine learning applications.
Stay informed and agile
The CCPA, like any evolving regulation, is bound to come with endless updates and interpretations. Legal advisors must stay informed about these changes and guide their clients accordingly. Encourage business clients to maintain an agile approach, allowing them to adapt to new guidance or amendments to the law.
Advise on consumer communication
Clear communication with consumers about their data rights is not just a legal requirement, but also a best practice. Help clients develop transparent privacy policies and consumer communication strategies that clearly explain how personal information is used, stored, and can be accessed or deleted.
Conduct regular compliance audits
Finally, recommend (and offer) regular audits of CCPA compliance. These audits should assess the effectiveness of data governance policies, the responsiveness of data management systems, staff training efficacy, and overall adherence to CCPA mandates.
By first understanding the complexities of “personal information” and the “right to be forgotten” – as well as by following these steps – lawyers can provide comprehensive guidance to their business clients that will not only ensure compliance with the CCPA but will also foster a culture of respect for consumer privacy rights.
Conclusion
The California Consumer Privacy Act (CCPA) marks a new era in privacy laws, defining personal information expansively and granting consumers unprecedented control over their data.
Understanding the definition of personal information under the CCPA, including its inclusion of household data and inferred profiles, is paramount for legal professionals navigating compliance.
The “right to be forgotten” presents unique challenges, requiring businesses to balance erasure requests with legal obligations and technological complexities.
By advising on comprehensive compliance strategies, facilitating employee training, and advocating for transparent consumer communication, lawyers can help businesses effectively navigate the intricate landscape of CCPA compliance.
