Editor’s note: This is the first article in a three-part series addressing some of the more significant areas of the draft regulations implementing the California Consumer Privacy Act as amended. The regulations were first published for public comment Oct. 11, 2019, subsequently updated and republished Feb. 7, and then again Feb. 10 to address a significant omission in the prior version. On March 11, California published its most recent version of the proposed regulations and collected public comments until March 27. This article focuses on how the CCPA regulations continue to interpret and provide guidance as to the meaning of “personal information.”
The California Consumer Privacy Act’s definition of “personal information” is convoluted in comparison with other data protection laws. Canada’s national data privacy legislation defines personal information as “information about an identifiable individual.” The EU General Data Protection Regulation defines it as “any information relating to an identified or identifiable natural person” (i.e., a data subject), which, in turn, refers to “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For more articles on this topic, visit the IAPP's Resource Center California Consumer Privacy Act page.
In contrast, the CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and “includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household ….” The CCPA then goes on to include no less than 50 examples of categories and subcategories of personal information, some of which overlap and others that are distinct.
The complexity of the definition of personal information is evident in the context of one’s online activity. More specifically, in Section 1798.140, the CCPA provides (in scattered subsections) that the following may be considered personal information: an internet protocol address; cookies, beacons and pixel tags (when used to recognize a consumer, a family or their devices over time and across different services); browsing history; internet search history; information regarding a consumer’s interaction with an internet website, application or advertisement; and other internet or electronic network activity information, so long as the information “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” This distinction between personal and nonpersonal information is particularly important for businesses that employ pixels, cookies or other online advertising or analytic tools on their websites, which often capture IP addresses and information on how users interact with their webpages. If one considers the data derived from these tools as “personal information” within the scope of the law, then presumably the (California-based) individual or household to whom the data relates is afforded data privacy rights to access and erasure. In addition, the CCPA’s “opt-out” of sale provisions would also apply to this online data, which businesses routinely share or disclose with the advertising technology industry for marketing and analytical services. (Whether such disclosure to third parties is for “valuable consideration” and constitutes a “sale” remains another unresolved and confusing aspect of the CCPA.)
The issue of personal information in the context of one’s online activity and how it relates to the data rights afforded to California residents is undoubtedly one of the most difficult areas related to CCPA compliance. The February regulations sought to address this ambiguity by drafting and incorporating a new provision — Section 999.302, “Guidance Regarding the Interpretation of CCPA Definitions.” Section 999.302 first reiterated the text of the CCPA and stated that whether information is “personal information” as that term is defined within the CCPA depends on whether it is retained and used by businesses in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” Next, Section 999.302 provided the following example of how this framework could work in practice: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information’” under the law. The March regulations struck Section 999.302 in its entirety and did not replace it with any analogous guidance.
The European approach
By introducing Section 999.302, the California attorney general appears to have adopted a position published years earlier by an EU data privacy advisory body, the Article 29 Working Party. Given that provisions within the CCPA are almost a mirror image of the EU General Data Protection Regulation, it is not surprising that California’s government would continue to look to the EU for guidance. (Section 1798.145(i)(3) of the CCPA reflects Section 12(5) of the GDPR almost verbatim, simply changing “data subject” to “consumer” and “controller” to “business” to avoid any inconsistencies.) In 2007, the WP29 issued a formal opinion “on the concept of personal data” to provide guidance on understanding the meaning and scope of personal data in the context of, among other things, IP addresses, which is analogous to Section 999.302.
According to the WP29, “where the processing of IP addresses is carried out with the purpose of identifying the users” of a specific device or computer, one can anticipate that the means to identify the individuals will be available and therefore the information should be considered personal data within the law’s scope. As an example, the WP29 describes efforts by copyright holders to collect and retain IP addresses to prosecute violations of their intellectual property rights. In such circumstances, the WP29 found that the copyright holder would have the means to identify such individuals through the common discovery processes used in civil litigation. Similarly, and consistent with guidance it published years earlier, the WP29 emphasized that internet service providers can almost always identify individuals based on IP addresses because of their technological capabilities, access to third-party devices and business requirement; therefore, unless it can “distinguish with absolute certainty that the data correspond to users that cannot be identified, [an ISP] will have to treat all IP information as personal data, to be on the safe side.”
On the other hand, according to the WP29, “some sorts of IP addresses … under certain circumstances indeed do not allow identification of the user, for various technical and organizational reasons” and, therefore, would not be considered personal data under the law. For example, “the IP addresses attributed to a computer in an internet cafe, where no identification of the customers is requested” would not be considered personal data because “the data collected on the use of computer X during a certain timeframe does not allow identification of the user with reasonable means.”
One can argue that by including Section 999.302 in the February regulations, California was seeking to incorporate the WP29’s concept of IP addresses and online identifiers into the law’s definition of personal information. In other words, it appears California recognized that it is common practice for businesses to collect their website users’ IP addresses for many innocuous reasons, including for purposes related to general website functionality (e.g., first-party session cookies) and that these businesses never intend to actually link the site user to a particular individual or household. In fact, it is often third-party analytical and marketing service providers, and not the businesses, that seek to link IP addresses and other online identifiers with a specific user or platform (e.g., a third-party cookie). Therefore, Section 999.302 could have provided greater certainty that IP addresses collected from a business’s website would not (by themselves) be considered personal information under the CCPA.
Significant regulatory amendments
As noted above, the March regulations struck Section 999.302 in its entirety. Depending how much weight is given to regulatory drafting history, one could potentially argue that by removing this section, the California attorney general rejected the WP29's nuanced approach to IP addresses and considers IP addresses and similar online identifiers to be, under a broader range of circumstances, personal information under the law. In particular, California considered limiting the applicability of certain IP addresses from the scope of personal information as set forth in the February regulation and then simply rejected that approach altogether. In other words, the removal of Section 999.302 will likely make it more difficult for businesses to argue that California adopted an interpretation of the meaning of personal information in the online context in a manner similar to its EU counterparts.
Regardless of the outcome, it has been almost two years to the date since the CCPA was first drafted and enacted by the California government, and yet, as demonstrated through the February and March regulations, the California government is still adjusting its interpretation to the most fundamental aspect of the law — defining and scoping the meaning of personal information.
Photo by Iñaki del Olmo on Unsplash
If you want to comment on this post, you need to login.