The California Consumer Privacy Act of 2018 (CCPA) is the first-of-its kind U.S. law that gives greater privacy rights to consumers who reside in the state. Borrowing many of the core principles of the European Union's General Data Protection Regulation (GDPR), the act enshrines significant rights for consumers by granting them unprecedented control over their personal information.

Set to go in effect in less than eight months on January 1, 2020, the CCPA forces companies to understand how it will impact the way they collect and process consumers' personal information. Because of the act's broad-reaching provisions, confusion exists regarding many of the details, with much of it rooted in a foundational provision: what constitutes personal information (PI) and how that differs from personally identifiable information (PII).

What follows is a primer to help companies understand the difference and how to prepare for CCPA accordingly.

What is Personal Information?

The starting point for understanding the difference between PI and PII lies in the definition of personal Information according to the CCPA:

“Personal Information” As defined in section 1798.140 of CCPA

    (o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The key takeaways here are “capable of being associated with, or could be reasonably linked directly or indirectly to a consumer or a household.” This opens the door for broad interpretation.

CCPA sets a precedent for U.S. privacy law in terms of expanding the definition of personal information. In essence, personal information is any data linked to a California individual or household, not just PII. It also establishes the need to determine and monitor identifiability of data.

How is PI Different than PII?

As organizations shift to predominantly online interactions with their customers, they are collecting petabytes of data about individuals at a breakneck pace. Organizations want to quickly respond and even anticipate their customers' needs.

Personal data of all sorts ranging from highly identifiable to preferences and geolocation is collected across application touchpoints creating personal data sprawl that has proved impossible to track or trace. And that's the rub, data unaccounted for is effectively unknown.

Much of the confusion about the differences between PI and PII stems from the fact that companies collect indirect identifiers that are combined to create a profile. Those pieces of information do not directly identify an individual on their own, but if combined with other datasets could be used to single them out. For example, information such as date of birth or a geolocation constitutes personal information that might narrow down a unique individual in the dataset. This falls under the broad interpretation of PI under CCPA.

Of course, enterprises have been required to find personally identifiable information (PII) for years—structured information tied to a person like Social Security numbers or credit card numbers.

Because the definition of personal information goes far beyond the categories of PII that we see in U.S. data breach notification laws, companies can't rely on tools using regular expression-based classifiers to identify personal information based on its connection to an identity.

Since PI resides across structured, unstructured and cloud data stores, companies should understand that data exists on a spectrum. The challenge is that it's rarely black and white—data is not always personal not always anonymous. Some datasets are explicitly personal because they contain names. Others are high-level statistics that are fairly innocuous. Most datasets live in a spectrum and more or less are likely to be associated with an individual.

CCPA introduces hefty fines and consumer rights of action to sue for noncompliance. Covered organizations must ensure they know where all personal information is stored to appropriately respond to consumer requests for that information in a timely manner.

CCPA establishes a standard for accountability in data processing and consequently, the need to operationalize opt-out procedures and delineate for sold, transferred and processed data.

How Businesses Should Prepare

If we learned anything from GDPR, it is that companies need to prepare as early as possible to be ready for the deadline. With that in mind, here are the most important considerations to prioritize.

Get your team on the same page. Ensure that your team has a shared understanding of the definition of personal information under CCPA.

Broaden data governance to include PI, not just PII. Organizations must map their data estates, identify all personal information as compared with the current standard of directly or indirectly identifiable attributes and inventory data by person and state of residence.

With regards to indirect identifiers, companies should obscure, mask or take other steps to ensure that those identifiers can't be used to reference outside datasets that can lead to the identification of an individual.

Effectively manage consent and monitor processing. To prove compliance and build trust with consumers, businesses should examine controls to manage downstream uses of PI with the ability to monitor and assure consent and uses of PI are appropriate.

Other long-term, ongoing considerations such as implementing privacy-by-design, building a customer self-service model for access requests and monitoring your security posture are important as well. But it all starts with focusing on personal information.

 

Debra J. Farber, JD, CISSP-ISSMP, CIPP/US, CIPP/G, CIPP/E, CIPT, CIPM, and FIP is the Senior Director of Privacy Strategy at BigID, where she launches and leads initiatives that evangelize and advance data privacy, industry collaboration, privacy engineering, product innovation, and strategic partnerships. Prior to BigID, Debra held privacy and information security leadership roles at American Express, Visa and IBM, and currently serves as Vice Chair of the U.S. Technology Advisory Group (TAG) to the ISO/PC 317 privacy-by-design for consumer goods and services standard-setting project, in addition to holding advisory roles with the IAPP, The Future of Privacy Forum, Habitu8, and TrustRank.