- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
What personal information does an employer typically collect about its employees?
- Benefits elections.
- Correspondence to/from the employee and the employer.
- Correspondence to/from the employee and other employees.
- Correspondence to/from the employee and customers or clients of the employer.
- Complaints made about the employee.
- Complaints made by the employee.
- Disciplinary actions and related investigation files..
- Employment eligibility verification information (e.g., I-9, Social Security Number).
- Job application.
- Pay details (e.g., direct deposit information).
- Pay history.
- Performance reviews.
- Personnel files.
- Salary and salary history.
- Time and attendance.
Does the CCPA apply to cookies that are used for data analytics?
It is not clear.
The California Attorney General was asked to clarify whether the CCPA applies to a website that utilizes “cookies to track traffic” assuming that such cookies were not utilized to sell data or to market products.1 The Attorney General refused to provide guidance stating only that the determination as to whether cookies that track website traffic (e.g., analytics cookies) are governed by the Act “raises specific legal questions that may require a fact-specific determination.”2 The Attorney General further advised a business that utilizes such cookies to “consult with an attorney who is aware of all pertinent facts and relevant compliance concerns.”3
Although the California Attorney General did not specify what “facts” and “concerns” he believes are relevant to the analysis, whether an analytics cookie is governed by the CCPA arguably turns on the Act’s definition of “personal information.”
The phrase “personal information” is defined within the CCPA to mean any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”4 The CCPA includes a non-exhaustive list of data types that might fall within that definition. That list includes “unique personal identifiers,”5 a term which itself is defined as including “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”6 When the qualifiers found within the definition of “personal information” are combined the CCPA suggests that an analytics cookies should not be considered personal information regulated by the statute unless, at a minimum, the following three conditions are met:
- The analytics cookie is persistent (i.e., tracks “over time”),
- The analytics cookie is used to track across multiple websites (i.e., “across different services”), and
- The analytics cookie can “reasonably be linked” to a particular consumer or household (as opposed to a particular device that may, or may not, be shared among a number of individuals).
Is the CCPA’s definition of “biometric information” broader than the definition used by other states?
The CCPA defines “personal information” broadly as any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 The statute includes a non-exhaustive list of eleven categories of data that may fall under that definition. One of those categories is “biometric information.”2
While the CCPA provides a definition of “biometric information,” it is worth noting that the CCPA’s definition differs from the definition of the term within other statutes and legal systems. The following provides a side-by-side comparison of the definition within the CCPA and the definition within the Illinois Biometric Information Privacy Act (“BIPA”). In some ways, the California definition may be broader, as it purports to include such things as “imagery” of an individual’s palm or vein patterns, and voice recordings, so long as an “identifier template” can be created from such data. It also purports to include characteristics such as “keystroke patterns or rhythms” that would rarely be considered “biometric data” by consumers or in other privacy statutes:
|CCPA3||Illinois Biometric Information Privacy Act (“BIPA”)4|
|“Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.||“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
CCPA Privacy FAQs: Does the CCPA incorporate the definition of “personal information” from other statutes?
The CCPA defines the phrase “personal information” as referring to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 The CCPA goes on to provide a non-exhaustive list of data categories that might fall under that broad definition. That list, however, incorporates categories of personal information from other statutes, including California Civil Code Section 1798.80(e), and some of the incorporated-by-reference categories are redundant to categories included elsewhere in the CCPA’s personal information definition. The following identifies and de-duplicates the “categories” of personal information named, or cross-referenced, in the CCPA:
|Category of Personal Information||CCPA||California Civil Code 1798.80(e) (integrated into CCPA via 1798.140(o)(B).|
|1. Audio, electronic, visual, thermal, olfactory, or similar information||1798.140(o)(1)(H)|
|2. Bank account number||1798.80(e)|
|3. Biometric information||1798.140(o)(1)(E)|
|4. Commercial information (e.g., products or services purchased, or other purchasing or consuming histories or tendencies)||1798.140(o)(1)(D)|
|5. Credit card number||1798.80(e)|
|6. Debit card number||1798.80(e)|
|7. Driver’s License Number / State ID||1798.80(e)|
|8. Education||1798.140(o)(1)(J) (within the scope of FERPA)||1798.80(e)|
|9. Electronic network activity (e.g., browsing history)||1798.140(o)(1)(F)|
|10. Email address||1798.140(o)(1)(A)|
|12. Employment history||1798.140(o)(1)(I)||1798.80(e)|
|13. Geolocation data||1798.140(o)(1)(G)|
|14. Health insurance information||1798.80(e)|
|15. Identifiers (e.g., name or alias)||1798.140(o)(1)(A)|
|16. Insurance Policy Number||1798.80(e)|
|17. Medical information||1798.80(e)|
|18. Online identifier (e.g. IP address)||1798.140(o)(1)(A)|
|19. Other financial information||1798.80(e)|
|20. Passport Number||1798.140(o)(1)(A)||1798.80(e)|
|21. Physical Characteristics||1798.80(e)|
|22. Postal address||1798.140(o)(1)(A)||1798.80(e)|
|24. Social Security Number||1798.140(o)(1)(A)||1798.80(e)|
|25. Telephone Number||1798.80(e)|
|26. Transaction information||1798.140(o)(1)(D)|
CCPA Privacy and Security FAQs: If a company receives a right to be forgotten request, does it have to delete the requestor’s IP address from its weblogs?
The term “personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1 While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.2 There is a strong argument that a dynamic IP address (which is assigned to different computers at different times) may not fall within the definition of “personal information” under the CCPA as it may not be capable of being reasonably linked with a particular person. There may also be an argument that many static IP addresses may not be “reasonably” linked to a consumer if they are not combined with other information that would permit the easy identification of that consumer.
Assuming that a court or a regulator were to determine that a particular IP address did fall under the definition of “personal information,” and a consumer were to make a right to be forgotten request in connection with that IP address, the right to be forgotten is not absolute.3 The CCPA provides ten exceptions pursuant to which a business can refuse a deletion request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.4Of those ten exceptions, the following are most likely to apply to a request that a company delete an IP address from its weblogs:
- Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.), it does not need to be deleted.5 To the extent that a company maintains a weblog to identify potential malicious activity impacting its website (e.g., hacking, unauthorized attempts to access information, patterns of suspicious activity, possible denial-of-service attacks, etc.), this exception could be asserted to deny a deletion request.
- Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality,” it does not need to be deleted.6 To the extent that a company maintains a weblog that contains IP addresses as part of its effort to identify and debug errors that may be occurring on its website (e.g., faulty page loads, broken links, etc.), this exception could be asserted to deny a deletion request.
- Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law,” it does not need to be deleted.7 To the extent that a company maintains a weblog as part of its right to communicate with third parties and/or a right to understand the identity of those third parties that attempt to communicate with it, this exception might be asserted to deny a deletion request.
- Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.8 Note that, while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, presumably that is the relevant time period, as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they have no continued expectation of use). To the extent that a consumer would expect the company to collect IP addresses (e.g., such collection was disclosed as part of a privacy notice, or such collection has become industry standard practice), this exception might be available to deny a deletion request.
- Internal uses aligned with the context of collection. If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.9 While this exception is similar to the previous exception, unlike the previous exception, the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection. Again, in the context of IP addresses, if a company uses IP address in a context in which the consumer provided the information (e.g., as disclosed in a privacy notice), this exception might be available to deny a deletion request.
- Comply with legal obligations. If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer, a preservation hold issued as part of legal process, or a statute that requires that a company maintain weblogs as part of its overall security), the business is not required to delete the information.10In the context of IP addresses, if a company is required by law to maintain certain records – such as a weblog for security or audit trail purposes – this exception may be available to deny a deletion request.
CCPA Privacy and Security FAQs: Does the CCPA define “personal information” differently for privacy and security purposes?
The sections of the CCPA that relate to data privacy (i.e., the collection, use, and sharing of information) use a definition of “personal information” that includes approximately 26 categories or types of data.1That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2 In contrast, the sections of the CCPA that relate to data security (i.e., the protection of information) adopt a far narrower definition of “personal information” that includes only 6 categories of types of data. The following chart indicates which categories of personal information apply to the data privacy and the data security sections of the CCPA:
|Examples of Personal Information||Applies to Privacy Requirements of CCPA||Applies to Security Requirements of CCPA|
|1. Audio, electronic, visual, thermal, olfactory, or similar information||✓3|
|2. Bank account number||✓4||✓5|
|3. Biometric information||✓6|
|4. Commercial information (e.g., products or services purchased, or other purchasing or consuming histories or tendencies)||✓7|
|5. Credit card number||✓8||✓9|
|6. Debit card number||✓10||✓11|
|7. Driver’s License Number / State ID||✓12||✓13|
|9. Electronic network activity (e.g., browsing history)||✓15|
|10. Email address||✓16||Partial ✓17|
|12. Employment history||✓19|
|13. Geolocation data||✓20|
|14. Health insurance information||✓21||✓22|
|15. Identifiers (e.g., name or alias)||✓23||Partial ✓24|
|16. Insurance Policy Number||✓25||✓26|
|17. Medical information||✓27||✓28|
|18. Online identifier (e.g. IP address)||✓29|
|19. Other financial information||✓30|
|20. Passport Number||✓31|
|21. Physical Characteristics||✓32|
|22. Postal address||✓33|
|24. Social Security Number||✓35||✓36|
|25. Telephone Number||✓37|
|26. Transaction information||✓38|
CCPA Privacy FAQs: If a website participates in behavioral advertising, does Nevada privacy law require that it disclose that it is “selling” consumers’ information?
While Senate Bill No. 220 incorporates the CCPA’s concept of permitting consumers to object to the sale by a company of their information, it avoids many of the drafting errors, ambiguities, and business impracticalities of the CCPA, including its treatment of online behavioral advertising.
Unlike the CCPA, Nevada defines the term “sale” as including only “the exchange of covered information for monetary consideration by the operator [of a website] to a person for the person to license or sell the covered information to additional persons.”5 Nevada’s narrower definition precludes the term from applying to the use of third party behavioral advertising networks as (1) behavioral advertising networks typically do not provide advertisers or publishers with “monetary consideration” for the deployment of their cookies, and (2) while the behavioral advertising networks may use the information that they obtain from their cookies for the benefit of themselves and their other clients, they typically do not “license or sell” that information.