CCPA is Here; How Does its Definition of Personal Information Compare to GDPR?

Everything’s bigger in Califor….oh wait, that saying is about Texas. But it could just as well be about The Golden State, considering it’s the third-largest state in the union geographically. It has the largest population in the US and boasts the world’s fourth-largest economy.

It turns out that these last two tidbits are super significant. That’s because on July 1st, California’s sweeping privacy regulations, The California Consumer Privacy Act, or CCPA, became enforceable. While some businesses and trade groups, determined to delay the regulations due to COVID-19 concerns, voiced complaints to California AG Xavier Becerra, the law went into effect as planned anyway.

CCPA only affects citizens of California. However, those residents make up a vast majority of consumer data. Whether you have an online business (regardless of its location) or if you collect any type of consumer data, you must be prepared to respond to Subject Right Requests (SRRs) fully and accurately within the allotted time frame of 45 days. Therefore you need to understand what types of data are protected under the law, and which can be a bit more complicated than what meets the eye.

Is Being GDPR-Compliant Enough?

It’s reasonable to conclude that if you want to become CCPA-compliant (and considering that you’ll probably want to avoid hefty fines that come with non-compliance, you likely do want to become compliant), you have to know what types of personal information you collect.

Most businesses had to go through some type of data awareness initiative before GDPR came into effect in 2018. Before the laws were enforced, businesses were often in the dark regarding the data they collected and what happened to that data once it was in their hands.

But now a reckoning has taken place wherein businesses are finally beginning to understand what they collect, why they collect it, and what happens to it once it’s collected, with much greater depth than before. This is an amazing advance, but before you assume that if you’re GDPR compliant, then you’re inherently CCPA compliant, you need to know that the two regulations define “personal data” in different ways. At first glance, these differences might not seem all that significant, but if you’re not aware of them, you might wind up overlooking some key data categories, which could put you at risk of becoming non-compliant.

PI in CCPA Vs. PI in GDPR

To understand the differences and their ramifications, let’s look at Article 4.1 of the GDPR. The article states, ‘ “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.”

This includes:

1. The data subject’s name and ID number
2. Health and genetic related data
3. Economic status-related data
4. Cultural, religious, and social identity-related data

This is pretty straightforward–in GDPR, anything that can be used to identify the data subject directly falls under the jurisdiction of the law.

In CCPA, things get a bit murkier. In section 1798.140-Definitions, CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition has been called out for being rather vague, and to make matters more complex, the law then lists 11 sprawling categories of information considered to be under the purview of the law.

You can view the full list here, but here’s a taste of what’s covered:

1. Names, nicknames, home address, IP address, email address, social security number, drivers license number, passport number
2. Biometric data
3. Geolocation
4. Employment and professional history information
5. Education information
6. Internet history
7. Commercial data
8. Geolocation data
9. Audio, visual, and olfactory related data

Some of the categories above are considered PII – Personally-Identifying Information (PII). PII is information that, though it cannot directly be used to identify the data subject alone, when used in conjunction with other elements, it may be able to identify the subject. (Excluded from CCPA is information that’s publicly available from federal, state, and government sources. Deidentified data and health data protected under HIPAA is also excluded.)

The broad nature of these categories is a potential landmine, if not properly understood and accounted for.

Sustainable Discovery of all PII

To get a handle on the PII, you hold on data subjects, you need to effectively discover and map what you’ve got. If you haven’t done so already (and as of this writing, only 31% of businesses feel they are CCPA-compliant), now is the time to get started with automatic and sustainable data discovery.

1touch.io’s Inventa sustainable data discovery platform enables organizations to create a continuously updated lineage picture of each individual and all the data–PI and PII–they hold on them. It enables discovery of all data at rest and in motion, structured and unstructured, and known and unknown, to ensure continuous and complete adherence to CCPA, GDPR, and all the upcoming privacy regulations.

With Inventa, you can establish the total visibility and understanding needed to meet privacy regulations and respond to SRRs with accuracy and ease. Want to see Inventa in action? Schedule a demo with our experts today!