PII under CCPA refers to personally identifiable information under the California Consumer Privacy Act. This legislation has compliance implications for organizations that sell information about Californian citizens with other entities. CCPA applies to companies based anywhere in the world who process information related to citizens of California.
What is CCPA?
CCPA is a data privacy law that came into effect in 2020. Although it is Californian legislation, it applies to any business that operates within the state, even if they are based elsewhere.
The legislation applies to organizations that sell personally identifiable information about people who are resident in California. In the context of CCPA, selling means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…for monetary or other valuable consideration.”
Companies are bound by CCPA if they meet any of the following criteria:
- They sell PII about more than 50,000 Californians annually, or;
- They have a gross annual revenue in excess of $25 million, or;
- They derive more than 50% of annual revenue from selling information about Californians
If the organization that owns the data meets these criteria, it must manage PII under CCPA rules. This includes giving people the right to opt out, the right to request disclosure about data usage, and the right to request the deletion of their PII. Failure to meet these rules can result in fines of up to $750 per user.
What Counts as PII Under CCPA?
CCPA rules offer a broad definition of PII. Essentially, it includes any data that can be used to identify an individual or household, either directly or indirectly. The text of the act offers some examples, although this list is not exhaustive:
These are items of data that directly link to an individual:
- Real name
- Home address
- Email address
- Phone number
- Bank account or credit card number
- State ID card number
- Passport information
- Driver’s license details
- Image of the subject’s signature
This type of PII refers to the individual’s online presence, which someone could potentially trace back to them. It includes:
- Unique identifiers
- Account names
- IP addresses
- References to any records that hold direct identifiers, such as a ticket number or an invoice number
Biometric information is an emerging class of PII that has expanded in recent years. Items in this category include:
- Retina scans
- Facial recognition data
- Voice pattern data
- Handwriting analysis
- Typing recognition
Website activity logs are PII if those logs contain information that links the records to an individual user. Examples of this include:
- Cookie preferences
- Browsing history
- Website analytics
- Search history
- App activity
- Matches with marketing personas
A number of apps and services generate geolocation data, and they may log this for legitimate purposes. When the data refers to an individual, it is considered PII. This includes:
- Mobile device location history
- Geolocation data associated with app activity
- Geotags on files such as photos and videos
- Images containing identifiable location information, such as pictures of street names
This class of data refers to the subject’s employment. It can originate directly from the employer or from third parties such as payroll management services. This type of data includes:
- Employee ID
- Remittance details
- Salary records
- Copies of contracts and correspondence
- Evaluations reports
- Internal memos that refer to a specific employee
Protected Class Data
PII also includes any data that refers to any personal characteristic that could lead to discrimination. These are categories protected under the California Civil Code, which include:
- Gender (including details of pregnancy)
- Sexual orientation
- Citizenship status
This category includes information identified as PII in the Family Educational Rights and Privacy Act. It includes:
- Institutes attended
- Years attended
- Grades acquired
- Grants and scholarships allocated
Many organizations have the ability to build user profiles through data analytics techniques. Using these methods, they can infer information about an individual. This includes profile data about a person’s:
- Psychological trends and predispositions
- Social and political tendencies
Commercial information refers to business activity that may refer back to an identifiable person. This can include:
- Property records
- Invoices for sales and purchases
- Marketing records
- Pre-sales queries
What is Not PII Under CCPA?
The legislation does include some exceptions for what may not be considered PII under CCPA. These exceptions are:
When the User has Consented
The person identified in data can consent to the organization selling their information to a third party. Users must give consent freely and explicitly, and the user can revoke consent at any time. They can also request that the business delete their PII entirely.
When the Data is Pseudonymized
Organizations can sell or transmit PII if they take adequate steps to protect the identity of the individuals. Usually, this involves a data masking or data obfuscation process, where the information is scrambled or hidden in some way. There must be no way to reverse-engineer this process and obtain personal information from the data.
When the Data is Publicly Available
If the data is a matter of public record, then it is not covered by CCPA rules. An example of this is a phone number or email address that the user has published on their website.
The data owner has the responsibility for showing that the data is available to the public. If the user removes their data from public records, it might be considered PII under CCPA.
In all cases, it is up to the data owner to ensure that they stay within the rules of CCPA when selling data. Most businesses will choose to perform a full data audit before exchanging PII with another company to ensure that they are compliant with CCPA rules.