Lydia de la Torre
Squire Patton Boggs, Of Counsel
Santa Clara Law School, Adjunct Professor
NOTE: As of the date of publication of this article, a bill (Assembly Bill 874) modifying the current definition of personal information to add “reasonably” before “capable of being associated with” has been approved by the California legislature and is awaiting signature by the Governor of California. The article is based on the definition of personal information under Cal. Civ. Code. Section 1798.140(o)(1) as modified Assembly Bill 874 (that is to say, it assumes that the bill will not be vetoed by the Governor).
The California Consumers Privacy Act (CCPA) represents a quantum leap in US privacy, and the core of that change is the expansive concept of personal information . The CCPA definition of personal information can be best understood by analyzing separately each of the four closely intertwined building blocks embedded in it: (i) “information”; (ii) “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked”; (iii) “directly or indirectly”; (iv) “with a particular consumer or household”. Any specific piece of data will have to meet the four requirements outlined above in order to be deemed personal information under CCPA.
Each of these requirements addresses an important question:
(i) First building block:
The question addressed by the first building block of the definition of personal data (“information”) is: What constitutes “information” under CCPA?
(ii) Second building block:
The question addressed by the second building block of the definition of personal data (“that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked”) is: What kind of nexus must exist between the information and the “consumer” or “household” for the information to be deemed personal in nature?
(iii) Third building block:
The question addressed by the third building block of the definition of personal data (“directly or indirectly”) is: Can the specific consumer or household to whom the information relates be identified? (in particular, what types of ‘connectors’ should be considered to achieve identification and what due diligence is expected from organizations)
(iv) Fourth building block:
The question answered by the fourth building block of the definition of personal data (“with a particular consumer or household”) is: Whose information is regulated by CCPA? (in other words, what is a “consumer” and what is a “household” under CCPA?)
FIRST BUILDING BLOCK: What constitutes “information” under CCPA?
The first building block of the definition addresses the question of what kind of data can be considered personal information under CCPA. The use of the term “information” signals a legislative intent for a broad interpretation of the concept.
Not only objective statements (e.g. the presence of a certain substance in one’s blood) but also subjective statements (e.g. opinions or assessments) can be information. Sectors that tend to process significant amounts of subjective information such as banking or insurance (e.g. X is “a reliable borrower”, or “not expected to die before he turns 80”) will be affected. Although it is not necessary that information be true or proven to constitute personal information, CCPA does not provide consumers the option to request the correction of inaccurate information. It is important to note that non-sensitive information can be personal and, therefore, information that may not be particularly risky in nature, such as a person’s browsing history or IP address, will be regulated by CCPA provided that all other requirements are met.
There are no limitations regarding the format or the medium on which the information is contained. Information kept in graphical form (pictures) or stored as sound (acoustic recordings) can be personal information provided that the other criteria in the definition are fulfilled. It is also important to note that, as opposed to the General Data Protection Regulation (GDPR), the CCPA does not require that information be part of a filing system or be stored in a computer .
The use of the term “information” denotes the communication or reception of knowledge or intelligence. In that sense, it can be argued that not all data is information. For example, machine to machine communications may not be information under CCPA unless the data communicated is expressed in a manner that is understandable by the human mind.
Cal. Civ. Code § 1798.140(o)(1) provides examples of information that, provided all elements are met, can be considered personal information. The examples include identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. Inferences drawn from any of the information listed in the examples to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes are also personal information under CCPA. (See, Cal. Civ. Code § 1798.140(o)(1)(K)).
SECOND BUILDING BLOCK: What kind of nexus must exist between the “information” and the “consumer” or “household” for the information to be deemed personal in nature?
Any information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked” with a “consumer or household” is potentially personal information under CCPA. This building block is crucial to define the scope of the concept precisely. The key question is what kind of nexus should exist between the information and the “consumer or household” for the information to be considered personal in nature.
In some cases, the relationship is self-evident. Clearly, information that identifies a “consumer or household” is personal information. For example, the image of a person filmed on a video interview of that person or a fingerprint‘identify’ a person and, therefore, will be considered personal information under CCPA. Such information relates to an individual or household by virtue of its content can and therefore can be said to identify that individual or household.
Information that “describes” is also within the scope of CCPA. This could include descriptions of habits and practices that can lead to the identification of “consumer” or “household”. For example, drug prescription information (e.g., drug identification number, drug name, drug strength, manufacturer, selling price, new or refill, reasons for use, reasons for no substitution order, prescriber’s first and last name, phone number, etc.), whether in the form of an individual prescription or in the form of patterns discerned from a number of prescriptions, can be considered as personal information both about the patient and potentially about the physician who prescribes this drug (even if the patient is anonymous). Thus, a pharmacy that “sells” prescription information about the prescriptions issued by a doctor to data brokers or drug manufacturers could be said to “sell” personal information under CCPA and would be required to provide those doctors an option to “opt-out”. In the same way, where a data broker sells aggregate prescription information to a drug manufacturing company revealing the prescription habits of doctors the transfer could be considered a sale and be subject to the right to opt-out under CCPA. It is important to note that the restrictions imposed by CCPA could conflict with the right to free speech of pharmacies and data brokers. In Sorrell v. IMS Health Inc. a Vermont statute that, absent consent, prohibited the sale of prescription information by pharmacies, health insurers and similar entities to data brokers for marketing purposes was declared unconstitutional although the record supported that the information was being sold to drug companies and used to push sales for more expensive and sometimes less effective drugs. However, the outcome of a constitutional challenge to CCPA based on the fact pattern described above is uncertain because the requirements in the California statute might be distinguishable from those in the Vermont statute.
Finally, information that is “reasonably capable of being associated” or “could reasonably be linked” is also within the scope of CCPA even where the information does not identify an individual or household and it is not intended for that purpose, provided that it ultimately results in the identification of a specific individual or household. For example, a system of satellite location that is set up by a transportation agency responsible for buses in a city could make it possible to determine the position of buses in real time. The purpose may be to provide better service by ensuring bus schedules are accurate and assign more or less buses to a route depending on traffic conditions. Strictly speaking the data needed for that system is data relating to the buses, not about the drivers. Yet, the system does allow monitoring the performance of drivers and checking whether they respect speed limits, follow appropriate itineraries, etc. It is therefore “capable of being associated” and can “reasonably be linked” to individuals (the drivers) and could be deemed personal information under CCPA.
It is important to note that one set of data can be deemed to be personal information of multiple individuals. For example, the service register of a car held by a mechanic or garage contains information about the car, mileage, dates of service checks, technical problems, and material condition. This information is associated on the record with a plate number and an engine number, which in turn can be linked to the owner. Where the garage is able to establish a connection between the vehicle and the owner, for the purpose of billing, all of the information on the vehicle is personal information of the owner under CCPA. In addition, the information may also be associated to the driver, who could be an individual other than the owner. In the same example, if the garage is able to make a connection between the mechanic that worked on the car for a specific repair with the purpose of ascertaining his productivity, this information could be personal information of the mechanic for CCPA purposes.
THIRD BUILDING BLOCK: Can the specific “consumer” or “household” to whom the information relates be identified?
In general terms, a natural person is considered “identified” when, within a group of persons, he or she is “distinguished” from all other members of the group. Additionally, a natural person is “identifiable” when, although the person has not been identified yet, it is possible to do so. This also applies in regard to households. Under the statutory language, both information that directly or indirectly “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked” can be personal information under CCPA. The reference “indirectly” stretches the concept of personal information beyond situations where a “consumer or household” is positively identified to include information that makes the identification possible. Data that, alone or in combination, does not directly or indirectly connect to a “consumer or household” should be considered anonymous dataand fall outside of the scope of CCPA. The key questions here are what specific pieces of information must be considered and what kind of due diligence should be conducted to achieve identification.
Identification is normally achieved through particular pieces of information called identifiers that are typically classified into direct and indirect. Thename of a person is the most common direct identifier for an individual and a physical address is the most common direct identifier for a household. However, in order to ascertain identity, the name of the person sometimes has to be combined with other pieces of information (date of birth, names of the parents, address or a photograph of the face) to prevent confusion between that person and possible namesakes. It is important to note that, while identification through the name is the most common occurrence in practice, under CCPA information can be personal in nature even where it cannot be connected to an individual’s name. For example, assigning a unique identifier to persons registered in a database is common in order to avoid confusion between two persons with the same name. In the same way, a physical address may not be required to identify a “household”.
The category of indirect identifiers typically relates to the phenomenon of “unique combinations”, whether small or large in size. Some indirect characteristics are so unique that someone can be identified with no effort (“current president of the US”). Others may not allow the identification of an individual in isolation and require combination with other pieces of information (i.e., age category, regional origin, etc).
The kind of diligence that will be expected to connect information to a consumer or household is, at this point, an open question. Clearly, the cost of conducting identification, the interests at stake, the intended purpose, the technological advances, the accessibility of the information and the potential risks should be factors to be considered to ascertain the due diligence expected. It is highly likely that business will be expected to use the information in their possession that is reasonably accessible to ascertain if a specific data element should be treated as personal information. However, data could be deemed anonymous under CCPA where the information required to produce an identification includes data that is “not maintained in a manner that would be considered personal information” orinformation that is in the possession of third parties. Guidance from the California AG’s office will be needed to provide a more specific answer to this key question.
For example, it could be argued that, where the business maintains records of IP addresses in a manner that does not link the IP Address with a particular user (such as in computer-logs that are not linked to individual accounts), such IP address should not be considered personal information under CCPA. This interpretation would be consistent with Cal. Civ. Code § 1798.145(i) . On the other hand, it can be argued that an IP address, even where stored in isolation, should be treated as personal information under CCPA where the business itself holds other pieces of information that, in combination with the IP address, can identify a consumer or household (such as where the business has records of a specific user logging in on a regular basis from a specific IP address). This interpretation would be consistent with the fact that Cal. Civ. Code § 1798.140(o)(1) lists “IP addresses” as an example of an element that can be considered personal information. Taking this one step further, it can be argued that regardless of the manner in which the record is maintained and even if the business cannot connect the specific IP address to an individual user based on the information it holds, such information should be considered personal because the IP address known to the business in combination with information in the hands of internet service providers will most probably suffice to identify a “consumer” or “household”.
In short, the question of under what exact circumstances IP addresses are to be considered personal information under CCPA will likely remain unanswered until the relevant provisions are interpreted through case law. That said, it would be erroneous to conclude that IP addresses in all cases will constitute personal information under CCPA. Under certain circumstances, IP addresses clearly do not allow independent identification for various technical and organizational reasons. For example, addresses attributed to a computer in an internet café, where no identification of the customers is requested should not be considered personal information and the same can be said of IP addresses used for machine-to-machine communication.
Where information is processed in stages one important question is at what stage should the information be considered personal. For example, identification of individuals captured through video surveillance in practice only happens in a small percentage of the material collected. It could be argued that, before identification in these few instances actually takes place, no personal information under CCPA is processed by video surveillance systems and, therefore, the process of recording and storing is outside of the scope of the law. This interpretation would be consistent with Cal. Civ. Code § 1798.145(i). On the other hand, it can be argued that claiming individuals are not identifiable, where the purpose of the processing itself is precisely to be able to identify them, is not aligned with the intent of CCPA and that video-surveillance should be handled as processing of personal information subject to the Act from collection to eventual deletion.
FOURTH BUILDING BLOCK: Whose information is regulated under CCPA?
The CCPA protects information of “consumers or households”. “Consumer” is defined by CCPA to mean a California resident for the purposes of taxes. A California resident is a living individual and, therefore, information relating to dead individualsshould not be considered personal information under CCPA. For the same reason, CCPA rules do not apply before birth or to the information of legal persons. Data of employees, however, will be within the scope of CCPA under the current version of the Act so long as they reside in California for tax purposes but amendments are being considered to exclude employee and contractor data from the CCPA. Finally, it is important to note that if a consumer where to permanently move out of California, he or she will no longer be considered a resident and, therefore, the information of such individual will cease being personal information for the purposes of CCPA.
The term “household” is not defined under CCPA. It is not clear how the inclusion of the reference household will expand the definition of personal information. This has been a topic of debate, and it is hoped thatthe California Attorney General’s office will provide clarity on its meaning. Merriam-Webster’s definition of household is “a social unit composed of those living together in the same dwelling.” Under that definition, it could be said that the value of a particular house is not personal information absent the ability to connect it with a particular individual or with a group of individuals living together.
It is important to note that all of the rights granted by CCPA are granted on consumers and not households and most CCPA rights cannot be exercised with respect to “household” personal information (unless the “household information” is, at the same time, personal information of the consumer exercising the right). Specifically, the statutory language limits the rights of access to specific pieces of information, the right to erasure and the right to opt-out expressly to personal information of consumers, therefore excluding personal information that can be connected to a household but not to a specific resident in that household.
Therefore, contrary to what has been stated by various groups, CCPA clearly does not allow for individuals residing in the same household to obtain data about each other. Under the current statutory language the right to provide access is granted only on consumers; and the obligation to provide access to specific pieces of information is imposed only on business that collect consumer personal information (as opposed to household personal information). The businesses are only required to provide the personal information of the consumer that has made the request. Therefore, even though business may be required to disclose in their privacy notices their practices with regards to all consumer and household personal information, any particular resident in a household can exercise his/her CCPA right to access specific pieces of information only over personal data that relates to him/her personally (and not over data related to the household as a whole).
The obligation to provide a privacy notice and the right to obtain certain disclosures about the information processing practices of the business, on the other hand, does include provisions that relate to personal information in general (which could be read to include information about a household where the individual resides) and provisions that specifically refer to personal information of consumers, which makes sense as privacy policies do include information about data handling practices in general.
Finally, the right to not be discriminated against protects consumers that exercise their other rights and not “households”.
It is important to note that CCPA excludes de-identified information, aggregated information and certain types of publicly available information either from the definition of personal information under CCPA or from the scope of the Act. This article will not go in detail into the relevant concepts but the statutory definitions are provided below:
- De-identified data is excluded from CCPA under Cal. Civ. Code § 1798.145(a)(5). For the purposes of CCPA, de-identified data is defined to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer” provided that the business that uses the de-identified information: (i)has implemented technical safeguards that prohibit re-identification of the consumer to whom the information may pertain; (ii) has implemented business processes that specifically prohibit re-identification of the information; (iii) has implemented business processes to prevent inadvertent release of de-identified information; and (iv) makes no attempt to re-identify the information.” (see, Cal. Civ. Code § 1798.140 (h)).
- Aggregated consumer information is excluded from CCPA under Cal. Civ. Code § 1798.145(a)(5). For the purposes of CCPA, aggregated information is defined to mean “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device”. CCPA clarifies that aggregated consumer information does not mean ‘one or more individual consumer records that have been de-identified.” (see, Cal. Civ. Code § 1798.140 (a)).
- Certain types of publicly available information: Information lawfully made available from federal, state or local governments is not considered personal information under CCPA only where the information is used for purposes compatible with the purposes for which the data is “maintained and made available” to the public. All other types of publicly available information are within the scope of CCPA. “Publicly available” is defined as “information that is lawfully made available from federal, state, or local government records” but not ifthat “data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained”. Cal. Civ. Code § 1798.140(o)(2). Note that the current definition of publicly available information is expected to change.
 Under Cal. Civ. Code § 1798.140(o)(1) “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.’ There is pre-existing California Law that aligns with this definition. In particular, Cal Civ. § 1798.80 (e) defines personal information as “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, […]”
 Under Cal. Civ. Code § 1798.175 “The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers.”
 Examples include: (i) any categories of personal information described in subdivision (e) of Section 1798.80; (ii) characteristics of protected classifications under California or federal law; (iii) commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (iv) biometric information defined to mean “an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.” Biometric information includes, but is not limited to, “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information” (see, Cal. Civ. Code § 1798.140 (b)); (v) internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement; (vi) geolocation data; (vii) audio, electronic, visual, thermal, olfactory, or similar information; (viii) professional or employment-related information; and (ix) education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
 Unique personal identifier is defined to mean “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.” Family in this context is defined to mean “a custodial parent or guardian and any minor children over which the parent or guardian has custody.” Probabilistic identifier is defined to mean “identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.” (see, Cal. Civ. Code § 1798.140 (p)&(x)).
 Sorrell v.IMS Health Inc. 564 U.S. 552 (2011).
 As opposed to the Vermont statute, CCPA does not impose an affirmative obligation on pharmacies or data brokers to obtain consent but requires those entities to provide doctors with a right to “opt-out”
 Note that currently several amendments to CCPA are under consideration including AB 25 (proposed by Assemblyman Chau) excluding employees from the definition of “consumer”. As of 8/4/2019 the exclusion has a sun-set provision of Jan 2021 and appears to be moving along through the legislative process and it is likely to be incorporated into the upcoming “clean-up” bill.
 Even in the unlikely event the garage does not have enough information to connect the vehicle to its owner, if the identity of the owner can be obtained from public records through a license search arguable the information “could reasonably be linked” to the owner and therefore should be considered personal information of the owner. (See section on the third building block for an expanded explanation of this dynamic).
 Note that currently several amendments to CCPA are under consideration including AB 25 (proposed by Assemblyman Chau) excluding employees from the definition of ‘consumer’. As of 8/4/2019 the exclusion has a sun-set provision of Jan 2021 and appears to be moving along through the legislative process and it is likely to be incorporated into the upcoming ‘clean-up bill.
 Note the language in the definition states “[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Cal. Civ. Code § 1798.140(o)(1)). It is unclear if the reference ‘directly or indirectly’ should be interpreted to relate only to “could reasonably be linked” or to each and every element that precedes it. In any event, the reference clearly expand the definition to include information that makes an individual identifiable.
 See the section on exclusions below for the statutory definition of anonymous data under CCPA.
 Cal. Civ. Code § 1798.145(i) states “This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.”
 Cal. Civ. Code § 1798.145(i) states “This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.”
 Under Cal. Civ. Code § 1798.140(g) a natural person who is a “California resident”, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section reads on September 1, 2017. Section 17014 of Title 18 of the California Code of Regulations. defines residence for the purpose of requirement to pay taxes in California and the underlying logic behind it is that the state with which a person has the closest connection during the taxable year is the state of his residence (i.e. the state where the individual is to pay taxes for all of his/her income). Under this definition, an individual may be a resident although not domiciled in California, and, conversely, may be domiciled in California without being a resident.
 The rights to access, erase and opt-out are granted by CCPA exclusively over personal information related to a ‘consumer” and reading them as relating to ‘household’ data that is not personal information of the consumer making the request is clearly disingenuous. (For right of access see Cal. Civ. Code § 1798.100 (a) “[a]consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer” and Cal. Civ. Code § 1798.115 (a) ‘[a] consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer’. For the right to erase see Cal. Civ. Code § 1798.105 (a) “[a] consumer shall have the right to request that a business delete any personal information about the consumer”. For right to opt-out see Cal. Civ. Code § 1798.120 (a) “[a] consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.”(Bold added for emphasis)).
 Under CCPA a “consumer’ is an individual that is a resident of the California for tax purposes. (See, Cal. Civ. Code § 1798.140(g)).
 See, Cal. Civ. Code § 1798.100 (a) stating that consumer has the right to request “that a business that collects a consumer’s personal information disclose to that consumer”.
 See, Cal. Civ. Code § 1798.110. (a) (5) which states “[a] consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: […] (5) The specific pieces of personal information it has collected about that consumer.”
 See Cal. Civ. Code § 1798.110 (a)(1)“[a] consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: (1) The categories of personal information it has collected about that consumer.” See also Cal. Civ. Code § 1798.110 (a)(2)“[a] consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: The categories of sources from which the personal information is collected.” which could be read to require disclosure of sources both for information collected about the consumer and about the household where he/she resides (bold added for emphasis))
 See Cal. Civ. Code § 1798.125
 The current version of Cal. Civ. Code § 1798.140(o)(2) is expected to be corrected to eliminate the last sentence (that is to say, to eliminate “[…] “Publicly available” does not include consumer information that is de-identified or aggregate consumer information”. In addition, Assembly Bill 874 (AB-874) will likely widen the concept of ‘public information’.