Any information «that identifies, relates to, describes, can reasonably be associated with, or could reasonably be associated with, a «consumer or household» is potentially personal data within the meaning of the CCPA. This building block is crucial to precisely define the scope of the concept. The key question is what kind of link should exist between the information and the «consumer or household» for the information to be considered personal. [16] The rights of access, erasure and withdrawal are granted by the CCPA only with respect to the personal data of a «consumer» and it is patently dishonest to interpret them as referring to «household data» that is not personal data of the consumer making the request. (For the right to information, see Cal. Civ. Code § 1798.100 (a) «[a]consumer has the right to require that a company that collects a consumer`s personal data disclose to that consumer» and Cal. Civ. code § 1798.115 (a) «[a] consumer has the right to request that a company that sells or discloses the consumer`s personal data for commercial purposes disclose it to that consumer». For the right to erasure, see Cal. Civ.

Code § 1798.105 (a) «[a] the consumer has the right to request a company to delete all personal information about him». For the right of withdrawal, see Cal. Civ. Code § 1798.120 (a) «[a] the consumer has the right at any time to ask a company that sells personal data about the consumer to third parties not to sell the consumer`s personal data.» (Bold added to highlight)). The question addressed by the first component of the definition of personal data («information») is: What is «information» within the meaning of the CCPA? For the purposes of the Act, «personal data» is defined as «information that identifies, relates to, can be associated with, or could reasonably be associated directly or indirectly with a particular consumer or household.» The law contains a non-exhaustive list of examples that includes some detailed examples. Personal data includes, for example, «business information» (including «records of personal property, products or services acquired, received or contemplated, or other purchase or usage histories or trends»), «Internet or other information about electronic network activity» (e.g., browser and search histories), «educational information» and «electronic, visual, thermal information, olfactory or similar». Personal data does not include information lawfully provided from federal, state or local government records and used for purposes consistent with the purpose for which such data is retained in this manner. Data minimization. The CPRA limits the personal data collected by companies to what is «reasonably necessary and proportionate to achieve the purposes for which the personal data was collected». This section also prevents companies from circumventing CPRA`s obligations by sending personal data outside the state or through third parties, contractors or service providers. When a company collects personal data and shares it with another company for commercial purposes, the CPRA also requires the conclusion of an agreement that specifies the limited purposes of the personal data provided.

The receiving parties must also comply with the obligations of the CPRA and ensure the same level of data protection, while the information exchange company can take reasonable steps to ensure that the information is transmitted adequately. A contractor redefined in the PCA is similar to a service provider in that it is bound by the written terms of the contract, which set out certain restrictions and prohibitions on the use of personal data. However, unlike a service provider, the contractor understands a «certification» that it understands all of these restrictions and prohibitions and will comply with them. For example, the law states that companies must have a clearly visible footer on websites that offer consumers the option to opt out of data sharing. If this footer is missing, consumers can sue. They can also sue if they can`t understand how their information was collected or get copies of that information. «It can be around anything,» Farber says. Finally, in addition to the categories of «third-party suppliers» and «service providers» under the CCPA, CAPP adds «contractors» as a separate category of regulated entities. A contractor is a third party to whom the Company provides personal data of consumers for commercial purposes. As with service providers, contractors must now conclude a written contract and undertake to take appropriate measures to protect the electronic data collected. The third component of the definition of personal data («direct or indirect») answers the following question: can the specific consumer or household to whom the information relates be identified? (in particular, what types of «connectors» should be considered to achieve identification and what due diligence is expected of organizations) The California Consumer Privacy Act (CCPA), which went into effect on June 28, 2018, creates a set of privacy rights and business obligations for consumers regarding the collection and sale of personal information.

The CCAC came into effect on January 1. 2020. The first constituent element of the definition addresses the question of what type of data can be considered personal data within the meaning of the CCPA. The use of the term «information» signals a legislative intent of a broad interpretation of the term. 7. the right to rectification of inaccurate personal data; and in addition, while a company may deny users the same service, it can provide incentives to users who provide personal information. «This provision may change, but as mentioned today, it gives you the ability to offer discounts to people who are willing to share or sell their data to third parties,» says Dieterich. «Traditionally, systems are not designed in such a way that your pricing structure can change based on your privacy decisions.

This is a new concept that has very technical implications. [19] See Code cal. civ. § 1798.110. (a) (5), which states: `[a] the consumer has the right to request a company which collects personal data concerning him to communicate to the consumer: … 5. The specific personal data it has collected about that consumer. » 2020 California`s Proposition 24 proposes several changes to the CCPA. Proposition 24[30], also known as the California Privacy Rights and Enforcement Act of 2020, aims to expand existing privacy laws by giving consumers greater control over their personal information. Key differences between the CCPA and the European Union`s General Data Protection Regulation (GDPR) include the scope and territorial scope of each individual, definitions of proprietary information, levels of specificity, and a right of withdrawal for the sale of personal data. [22] [23] Companies that sell consumer data to third parties must disclose this practice and give consumers the opportunity to opt-out of the sale by providing a link on the company`s homepage titled «Do not sell my personal data.» This is called the right of «opt-out».

The law also provides that a company may not sell the personal data of consumers under the age of 16 without the express consent of that consumer (or, in the case of consumers under the age of 13, without the express consent of the consumer`s parents or guardians).