Getting Ready for the U.S.'s Toughest Privacy Law: What is Personal Information?
Because of the act's broad-reaching provisions, confusion exists regarding many of the details, with much of it rooted in a foundational provision: what constitutes personal information (PI) and how that differs from personally identifiable information (PII).
May 09, 2019 at 07:00 AM
6 minute read
The California Consumer Privacy Act of 2018 (CCPA) is the first-of-its kind U.S. law that gives greater privacy rights to consumers who reside in the state. Borrowing many of the core principles of the European Union's General Data Protection Regulation (GDPR), the act enshrines significant rights for consumers by granting them unprecedented control over their personal information.
Set to go in effect in less than eight months on January 1, 2020, the CCPA forces companies to understand how it will impact the way they collect and process consumers' personal information. Because of the act's broad-reaching provisions, confusion exists regarding many of the details, with much of it rooted in a foundational provision: what constitutes personal information (PI) and how that differs from personally identifiable information (PII).
What follows is a primer to help companies understand the difference and how to prepare for CCPA accordingly.
|What is Personal Information?
The starting point for understanding the difference between PI and PII lies in the definition of personal Information according to the CCPA:
“Personal Information” As defined in section 1798.140 of CCPA
(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The key takeaways here are “capable of being associated with, or could be reasonably linked directly or indirectly to a consumer or a household.” This opens the door for broad interpretation.
CCPA sets a precedent for U.S. privacy law in terms of expanding the definition of personal information. In essence, personal information is any data linked to a California individual or household, not just PII. It also establishes the need to determine and monitor identifiability of data.
|How is PI Different than PII?
As organizations shift to predominantly online interactions with their customers, they are collecting petabytes of data about individuals at a breakneck pace. Organizations want to quickly respond and even anticipate their customers' needs.
Personal data of all sorts ranging from highly identifiable to preferences and geolocation is collected across application touchpoints creating personal data sprawl that has proved impossible to track or trace. And that's the rub, data unaccounted for is effectively unknown.
Much of the confusion about the differences between PI and PII stems from the fact that companies collect indirect identifiers that are combined to create a profile. Those pieces of information do not directly identify an individual on their own, but if combined with other datasets could be used to single them out. For example, information such as date of birth or a geolocation constitutes personal information that might narrow down a unique individual in the dataset. This falls under the broad interpretation of PI under CCPA.
Of course, enterprises have been required to find personally identifiable information (PII) for years—structured information tied to a person like Social Security numbers or credit card numbers.
Because the definition of personal information goes far beyond the categories of PII that we see in U.S. data breach notification laws, companies can't rely on tools using regular expression-based classifiers to identify personal information based on its connection to an identity.
Since PI resides across structured, unstructured and cloud data stores, companies should understand that data exists on a spectrum. The challenge is that it's rarely black and white—data is not always personal not always anonymous. Some datasets are explicitly personal because they contain names. Others are high-level statistics that are fairly innocuous. Most datasets live in a spectrum and more or less are likely to be associated with an individual.
CCPA introduces hefty fines and consumer rights of action to sue for noncompliance. Covered organizations must ensure they know where all personal information is stored to appropriately respond to consumer requests for that information in a timely manner.
CCPA establishes a standard for accountability in data processing and consequently, the need to operationalize opt-out procedures and delineate for sold, transferred and processed data.
|How Businesses Should Prepare
If we learned anything from GDPR, it is that companies need to prepare as early as possible to be ready for the deadline. With that in mind, here are the most important considerations to prioritize.
Get your team on the same page. Ensure that your team has a shared understanding of the definition of personal information under CCPA.
Broaden data governance to include PI, not just PII. Organizations must map their data estates, identify all personal information as compared with the current standard of directly or indirectly identifiable attributes and inventory data by person and state of residence.
With regards to indirect identifiers, companies should obscure, mask or take other steps to ensure that those identifiers can't be used to reference outside datasets that can lead to the identification of an individual.
Effectively manage consent and monitor processing. To prove compliance and build trust with consumers, businesses should examine controls to manage downstream uses of PI with the ability to monitor and assure consent and uses of PI are appropriate.
Other long-term, ongoing considerations such as implementing privacy-by-design, building a customer self-service model for access requests and monitoring your security posture are important as well. But it all starts with focusing on personal information.
Debra J. Farber, JD, CISSP-ISSMP, CIPP/US, CIPP/G, CIPP/E, CIPT, CIPM, and FIP is the Senior Director of Privacy Strategy at BigID, where she launches and leads initiatives that evangelize and advance data privacy, industry collaboration, privacy engineering, product innovation, and strategic partnerships. Prior to BigID, Debra held privacy and information security leadership roles at American Express, Visa and IBM, and currently serves as Vice Chair of the U.S. Technology Advisory Group (TAG) to the ISO/PC 317 privacy-by-design for consumer goods and services standard-setting project, in addition to holding advisory roles with the IAPP, The Future of Privacy Forum, Habitu8, and TrustRank.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250