Ed. Note: This is the first installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the ABA for granting us permission to share them with our readers.

******

Data privacy has become one of the greatest areas of risk and concern for business.  It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020.  Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it.

The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP.  The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business.  The following excerpt was reproduced with the permission of the ABA.1 

Is the CCPA’s definition of personal information the same as the European GDPR’s definition of personal data?

No.

The definition of “personal information” under the CCPA is not identical to the definition used within the European GDPR of “personal data,” although there are similarities.  The following provides a side-by-side comparison of the two terms:

CCPA2GDPR3
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household . . .“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.

While it is difficult to identify data types that would fall under the CCPA’s definition of “personal information,” and would not fall under the GDPR’s definition of “personal data,” the reverse is not necessarily true.  Put differently, it is possible for data to be considered “personal data” under the GDPR because it can theoretically be linked to an individual, and not be considered “personal information” under the CCPA because it cannot reasonably be linked to an individual.  For example, while European regulators have suggested that data that is hashed would still fall within the definition of “personal data” because there remains a theoretical possibility that the data could be re-identified,4 a California court could determine that such information falls outside the scope of the CCPA as it cannot be “reasonably” linked to a consumer.

There are other differences between the definition of “personal information” under the CCPA, and “personal data” under the GDPR.  The CCPA expressly excludes from its definition of personal information any “publicly available information” a term which is defined as referring to “information that is lawfully made available from federal, state, or local government records.”5  So, for example, under the CCPA the ownership of a residence (a matter of public record) might not be considered “personal information,” whereas such information would be considered “personal data” under the GDPR. 

Notes

  1. The full book may be purchased on the ABA’s website at shopABA.org.
  2. Cal. Civ. Code § 1798.140(0)(1) (West 2020).
  3. GDPR, Article 4(1).
  4. See Opinion of the Data Protection Working Party on Anonymisation Techniques, 0829/14/EN WP 216 at 20 (adopted on April 10, 2014).
  5. Cal. Civ. Code § 1798.140(o)(2) (West 2020).