Ed. NoteThis is the eleventh installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws meant to protect the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.

Data privacy has become one of the greatest areas of risk and concern for business.  It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020.  Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it. The American Bar Association (ABA) recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by David Zetoony the Co-Chair of the United States data privacy and security practice at Greenberg Traurig LLP.  The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business.  The following excerpt was reproduced with the permission of the ABA. 

***

Question: Do the CCPA’s data security provisions apply to all types of personal information?

Answer: No

The sections of the CCPA that relate to data privacy (i.e., the collection, use, and sharing of information) use a definition of “personal information” that includes 55 data types.1 In contrast, the sections of the CCPA that relate to the ability of a consumer to bring suit in relation to a data security issue (i.e., the protection of information) apply to only nine data types.  The following chart illustrates which categories of personal information apply to the data privacy and the data security sections of the CCPA:

The CPRA amended the CCPA to add “sensitive personal information” to the examples of data types that may constitute personal information.39  The term “sensitive personal information” is itself defined within the CPRA to include 20 data fields.  Some, but not all, of these data fields already existed in the CCPA.  The CPRA further expanded the data types to which the security provisions apply to include email address in combination with a password or security question and answer that would permit access to the account.”40

Notes:

  1. Cal. Civ. Code § 1798.140(v)(1) (West 2021).
  2. Cal. Civ. Code § 1798.140(v)(1)(H) (West 2021).
  3. Cal. Civ. Code § 1798.80(e) (West 2021) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  4. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(B) (West 2021)).
  5. Cal. Civ. Code § 1798.140(v)(1)(E) (West 2021).
  6. Cal. Civ. Code § 1798.140(v)(1)(D) (West 2021).
  7. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  8. Cal. Civ. Code § 1798.81.5(d)(1)(A)(iii) (West 2021) (in combination with name).
  9. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  10. Cal. Civ. Code § 1798.81.5(d)(1)(A)(iii) (West 2021) (in combination with name).
  11. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  12. Cal. Civ. Code § 1798.81.5(d)(1)(A)(ii) (West 2021) (in combination with name).
  13. Cal. Civ. Code § 1798.140(v)(1)(J) (West 2021) (within the scope of FERPA).
  14. Cal. Civ. Code § 1798.140(v)(1)(F) (West 2021).
  15. Cal. Civ. Code § 1798.140(v)(1)(A) (West 2021).
  16. Note that email address in combination with a password or security question was added by the CPRA and, therefore, will not become operative until January 1, 2023.
  17. Cal. Civ. Code § 1798.140(v)(1)(I) (West 2021).
  18. Cal. Civ. Code § 1798.140(v)(1)(I) (West 2021).
  19. Cal. Civ. Code § 1798.140(v)(1)(G) (West 2021).
  20. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  21. Cal. Civ. Code § 1798.81.5(d)(1)(A)(v) (West 2021) (in combination with name).
  22. Cal. Civ. Code § 1798.140(v)(1)(A) (West 2021).
  23. Cal. Civ. Code § 1798.81.5(d)(1)(A)(ii) (West 2021) (only if a name is in combination with another sensitive field, or if a username or email address is in combination with a password).
  24. Cal. Civ. Code § 1798.80(e) (integrated via § 1798.140(v)(1)(B) (West 2021)).
  25. Cal. Civ. Code § 1798.81.5(d)(1)(A)(iv) (West 2021) (in combination with name).
  26. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  27. Cal. Civ. Code § 1798.81.5(d)(1)(A)(iv) (West 2021) (in combination with name).
  28. Cal. Civ. Code § 1798.140(v)(1)(A) (West 2021).
  29. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  30. Cal. Civ. Code § 1798.140(v)(1)(A) (West 2021).
  31. Cal. Civ. Code § 1798.81.5(d)(1)(A)(ii) (West 2021) (in combination with name).
  32. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  33. Cal. Civ. Code § 1798.140(v)(1)(A) (West 2021).
  34. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021)).
  35. Cal. Civ. Code § 1798.140(v)(1)(A) (West 2021).
  36. Cal. Civ. Code § 1798.81.5(d)(1)(A)(i) (West 2021) (in combination with name).
  37. Cal. Civ. Code § 1798.80(e) (integrated via Cal. Civ. Code § 1798.140(v)(1)(B) (West 2021).
  38. Cal. Civ. Code § 1798.140(v)(1)(D) (West 2021).
  39. Cal. Civ. Code § 1798.140(v)(1)(L) (West 2021).
  40. Cal. Civ. Code § 1798.150(a)(1) (West 2021).