- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Do the terms “personal data,” and “personal information,” mean the same thing?
Only the term “personal information” is defined within the CCPA. It refers to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 That said, the term “personal data” is used instead of the term “personal information” within the CCPA’s definition of “processing” which is defined as “any operation or set of operations that are performed on personal data . . . .”2 It is not clear whether the change in terminology was intended to impart some meaning. The most plausible explanation for the use of the term “personal data” is that the drafters of the CCPA copied the definition of “processing” from the GDPR (which has a near identical definition of “processing”) and forgot to replace the word “personal data” (a term used within the GDPR) with the term “personal information.”3
It is also important to note that the terms “personal data” or “personal information” are used in other statutes and regulations in very different contexts and with very different meanings. For example, in the term “personal information” is defined under several other states statutes as referring only to name in combination with a small sub-set of data fields viewed by legislators as being particularly sensitive. For example, the state of Maryland defines the term as follows:
“an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable: (i) A Social Security number; (ii) A driver’s license number; (iii) A financial account number . . .; (iv) An Individual Taxpayer Identification Number.4
In order to avoid confusion – particularly when drafting contracts– it is always a good practice to define terms within the contract, or to consistently use the term “personal information” when referring to something within the scope of the CCPA.
1. CCPA, Section 1798.140(o)(1)
2. CCPA, Section 1798.140(p).
3. Compare GDPR, Article 4(2).
4. Maryland Commercial Code § 14-3501(d)(1).