California Consumer Privacy Act
The California Consumer Privacy Act gives consumers the right to have personal information deleted on request to companies which fit the criteria under the Act. Companies subject to the Act don’t need to be based in California - simply gross more than $25 million annually, have data on more than 50,000 California residents, or receive more than half their income through the sale of personal information. California has a broad definition of personal information, and it’s important to know information is being collected so consumers can make informed decisions about the privacy of their data.
Under the CCPA, personal information is any information which could identify a consumer. The CCPA includes 11 categories of “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (CCPA § 1798.140)
This means that both objective statements, like the color of someone’s eyes, and subjective statements, like opinions or assessments, are considered personal information. The information doesn’t even need to be true - it just needs to be data which is associated with or could identify a consumer.
Personal information extends to information which a consumer may not expect to be personal data at all. Data as defined in the CCPA as having no medium or format limitation, meaning that pictures and sounds could qualify as personal information as well as text, biometric and other electronic information.
The full text of the Act is available on the website for the California legislature. Here are some examples of what information is collected - and can be deleted - under the CCPA:
The most obvious forms of personal information collected under the CCPA are direct identifiers. These include a consumer’s name, address and identification numbers. Also included is another class, defined as unique customer identifiers. A unique personal identifier is data which could identify an individual consumer, family or device “over time and across services.” In our technology age, these personal identifiers can take many forms. Some examples include IP address, cookies, beacons, pixel tags, mobile ad identifiers, customer numbers, unique pseudonyms, unique aliases and telephone numbers.
- Account name
- Mailing address
- Email address
- Social security number
- Driver’s license number
- Passport number
- Unique customer identifier
Customer record information
- Insurance policy number
- Bank account number
- Credit card number
- Financial information
- Medical information
- Health insurance information
- Physical description or characteristics
Characteristics which classify consumers as protected under California or federal law:
- Sexual orientation
- Gender identify
- Gender expression
- Personal property records
- Products/services purchased, obtained or considered
- Purchasing or consuming history or tendencies
- Hair color
- Eye color
- Retinal scans
- Facial recognition
- Other biometric data
Internet and other electronic network activity
- Browsing history
- Search history
- Website, advertisement and application interaction/engagement data
Audio, visual, thermal, olfactory, electronic or similar information
Professional and employment-related information
Educational information under the CCPA is described as any information which isn’t publicly available, as defined by the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
The CCPA also provides protection for information which may indirectly describe a consumer through unique characteristics. In addition to concrete data points, the CCPA also covers inferences drawn from personal information and customer profiles. For example, a company creates a customer profile based on ads clicked on which show preference for a particular product, and combines that information with posts the consumer has interacted with to create an inference about a person’s political leanings. Both the internet activity, the inference and the consumer profile created would be considered personal information under the CCPA.
Examples of inferences include:
- Psychological trends
What isn’t personal information?
Information which is available publicly isn’t included in the CCPA’s definition of personal information. Information made public through records at the federal, state or local government levels aren’t covered by the CCPA. As well, some types of information are excluded, such as certain financial information and medical information regulated by the Health Information Portability and Accountability Act (HIPAA).
De-identified information or aggregated and de-identified information is also considered not to be personal information, provided it can’t be reasonably tied to an individual. The Act also doesn’t cover information about multiple users in aggregate, aside from households.
So, what can be deleted?
Under the CCPA, consumers may request that any personal information a company stores about them be deleted. This is referred to as the global option, though a business may offer consumers the option to only delete certain data.
What can’t be deleted?
Under the Act, there are several exceptions which a business may cite in order to retain a consumer’s personal information. These exceptions include personal information:
- Required to complete the transaction the information was originally provided for
- Required to protect against and prosecute malicious or illegal activity
- Needed to identify and correct errors in software
- Required to exercise or protect free speech
- Collected in compliance with California Electronic Communications Privacy Act
- Required for scientific, historial or statistical research which benefits the public good
- Used internally to fulfill the expectations of the customer based on the customer’s business relationship with the company
- Required to comply with a legal operation