CPRA countdown: Changes to the definition of “personal information”

“Sensitive Personal Information”

The CPRA creates a new category of personal information, called "sensitive personal information."  Sensitive personal information includes the following subcategories:

• Social Security, driver’s license numbers, state identification card, and passport numbers;
• Financial account, debit card, or credit card numbers in combination with required security or access codes, passwords, or credentials allowing access to an account;
• Account login in combination with required security or access codes, passwords, or credentials allowing access to the account;
• Precise geolocation (i.e., information used or intended to be used to locate a consumer within a geographic area equal to or less than approximately 1/8 square mile); 
• Information about racial or ethnic origin, religious beliefs, philosophical beliefs, or union membership; 
• Contents of consumers’ mail, emails, or text messages, unless the business is the intended recipient of that information;
• Genetic data;
• Information concerning a consumer’s health, sex life, or sexual orientation; and
• Biometric information used for the purpose of uniquely identifying a consumer. 

It is worth noting that the CPRA also amends the definition of “biometric information” to include only information that “is used or intended to be used” to establish individual identity (compared to the CCPA definition which extends to information that “can be used” for such purposes).

The CPRA will require businesses to provide consumers with information about the collection, use, sharing, and retention of sensitive personal information. And the CPRA provides consumers with new rights regarding the use and sharing of such information. We will discuss these new obligations and rights in a future blog post. To prepare for compliance with these new obligations, businesses should take inventory of the types of sensitive personal information they collect and how they process it. 

Expanding the Exception for “Publicly Available” Information 

Under the CCPA, “personal information” does not include publicly available information “that is lawfully made available from federal, state, or local government records.” This exception is fairly narrow and does not include information that individuals voluntarily publish online via social media or similar channels.

The CPRA expands this “publicly available” exception, thereby limiting the range of what constitutes personal information subject to the law. Under the CPRA, personal information does not include publicly available information or truthful information that is lawfully obtained and a matter of public concern. The CPRA defines “publicly available” as:

• information that is lawfully made available from federal, state, or local government records;
• information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; and 
• information made available by a person to whom the consumer disclosed the information if the consumer has not restricted the information to a specific audience.

There are ambiguities here that will need to be sorted out. First, it is not clear whether the second use of “by the consumer” in the second bullet is intentional, as it appears to be redundant.  Second, it is not clear how broad the exception in the third bullet is. That exception would apply to product reviews and similar information that consumers provide to businesses, unless the consumer stated, “This is for your eyes only.” But would the exception apply to home addresses, phone numbers, or other information that consumers provide to businesses if consumers do not expressly restrict the scope of disclosure? Regardless of how these ambiguities are resolved, the expanded exception removes from the scope of the CPRA information that a consumer makes available to the general public via social media. The term “available to the general public” is not defined in the CPRA, but presumably it would include social media content available to all users and would not include social media content made available only to limited audiences.

Like the CCPA, the CPRA does not treat biometric information collected by a business about a consumer without the consumer’s knowledge as publicly available information that does not constitute personal information. So, facial recognition and other technologies that record consumers in public spaces may need to be addressed in CPRA compliance programs. 

Exclusion of “Deidentified” Information

The CPRA maintains the CCPA’s exclusion of deidentified or aggregate consumer information from the scope of personal information. However, the CPRA revises the definition of “deidentified.” 

• CCPA Definition: “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer. . . .” 
• CPRA Definition: “information that cannot reasonably be used to infer information about or otherwise be linked to, a particular consumer . . . .” 

Some might argue that the CPRA’s definition—focusing only on whether information can be used to infer information about or link to a consumer—establishes a lower bar for deidentification than does the CCPA (which focuses on the potential for identification, relation, description, association, and linkage).  However, the CPRA requires businesses to implement contracting controls and publicly commit to deidentification processes, which, as we will discuss in a future blog post, may raise challenges.  

Businesses preparing for the CPRA’s 2023 effective date should review and update their data inventories and compliance strategies to align with the updated definitions. 

To read our previously-published summary of the CPRA’s key provisions, click here.

For additional context we provided in June 2020 at the time the CPRA was certified to appear on the November 2020 ballot, click here. 
 

Authored by James Denvil and Arielle Brown.