In my last few posts, I've been looking at data protection issues raised by the recently enacted California Consumer Privacy Act of 2018, or CCPA. This law, which goes into effect January 1, 2020, grants California residents rights similar to those of the EU's General Data Protection Regulation (GDPR). For example, CCPA grants the right to request disclosure of what data is being stored and how it's being used. It imposes penalties for unauthorized exposure, as well as the right to be deleted from an organization’s data environment. Both laws share some interesting peculiarities. As we examine the definition of personal information, let's look specifically at the breadth of what “personal information” means.

The GDPR definition of personal information (i.e., personal data)

The way GDPR defines personal data is relatively succinct, yet quite broad:

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This definition encompasses identifiers that uniquely refer to an individual and through that reference include characteristic information about that person. In other words, it covers “factors specific to the person's physical, physiological, genetic, mental, economic, cultural or social identity.” This differs from the CCPA definition of personal information.

The CCPA definition of personal information

As I noted in a recent post, the CCPA definition of personal information is somewhat more explicit than that of GDPR. It includes the same identifiers as GDPR – but it also includes geolocation data and “audio, electronic, visual, thermal, olfactory, or similar information.” Further, it includes “inferences drawn from any of the information identified…”.

That last point is quite interesting, as it creates a dimension for CCPA compliance that is not present in GDPR. It suggests that the result of any type of data integration or analysis process that allows you to learn something about an individual is also subject to CCPA protection. Consider an example. An individual named John Collins has a residential address of 123 Main Street and the telephone number (204) 555-1898. In another database, there's a record for a business (“Acme Direct, Inc.”) that shares the same address and telephone number. A master data integration process will link those two records together. As a result, the organization could infer that John Collins is somehow associated with Acme Direct, Inc.

Part of the CCPA definition of personal information includes “professional or employment-related information.” So we have now linked two records that allow us to infer professional or employment-related information about John Collins. What are the implications for CCPA compliance?

Understanding implications for CCPA compliance

One side of the spectrum (the “infection” approach) says because the business record has been linked to a personal record, the business record would also have to be included in the realm of data instances covered by CCPA. So, for example, if John requests to be deleted, the business association would also have to be scrubbed. A different side of the spectrum (the “materialization” approach) might say that unless that inference is made explicit by storing it in a database, it would not be subject to CCPA directives. Of course, there are approaches between these two ends of the spectrum. The main point is that including the concept of “inferences” in the definition of personal information potentially opens a can of worms when it comes to devising a compliance and governance strategy.