CCPA Landmine No 1
The Expanded Definition of Personal Information
The CCPA includes an expansive definition of “personal information” including:
- Commercial Information and Network Activity. Commercial information, like other aspects of the definition, essentially includes buying habits. Network activity relates to (among other things) data culled from internet tracking tools. Both could be said to cover browsing history. If you collect data in either of these, include them in your data map and in your CCPA response process.
- Households - Businesses familiar with GDPR know that “households” are not included in the GDPR definition, however some European enforcement actions have interpreted “personal data” to include households. The CCPA states affirmatively that information relating to households is covered under the definition. While “household” is not defined, it’s fair to assume that the definition will mirror the definition of household found in the Digital Infrastructure and Video Competition Act of 2006. At a minimum, we expect that a shared residential address, as well as shared IP addresses, will constitute a “household”.
- Subsidiaries and Parents – Make sure that you are familiar with the practices of related entities – CCPA’s definition of a covered company includes “an entity that controls or is controlled by” a covered company. Even subsidiaries that do not meet the threshold are covered if their parent DOES meet the threshold and they share common branding.
- Inferences – The final category set forth in the CCPA definition of Personal Information is “inferences drawn” from the data collected from users. If your organization draws inferences from collected data, be aware that such inferences are a part of the definition of personal information.
There are other distinctive categories that are included in the definition, such as geolocation and thermal or olfactory information but those likely are not an issue for most businesses. Nonetheless, while the categories may seem far-fetched, poll your senior management to make sure such data is not sitting in an obscure data storehouse.