How do the CPRA, CPA, & VCDPA treat publicly available information?

Husch Blackwell LLP
Contact

[co author: Stacey Weber]

Keypoint: The CPRA, CPA, and VCDPA’s definitions of “publicly available information” are broader than the CCPA’s definition, thereby expanding the types of personal information companies may process outside the confines of those laws.

In celebration of Data Privacy Day, we are launching this ten-part weekly series where we will compare key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we will explore important nuances and differences on topics such as treatment of biometric and sensitive information, targeted advertising, consumer rights, and data processing agreements. If you are not already subscribed to our blog, consider doing so to stay updated.

Our first topic in this ten-part series is the treatment of publicly available information. Although the California Consumer Privacy Act (CCPA) contains an exclusion for “publicly available information” from its definition of personal information, the exclusion is limited to information made available by federal, state, or local government records. The CPRA, CPA, and VCDPA expand this exception to include information a company has a reasonable basis to believe a consumer lawfully made available to the general public.

Below is a comparison of “publicly available information” as defined in each of the three laws.

California (CCPA and CPRA)

Under the CCPA, publicly available information is addressed as an exception to the definition of personal information. The CCPA narrowly defines publicly available information as “information that is lawfully made available from federal, state, or local government records.” The CPRA expands this exception, adding “information that a business has a reasonable basis to believe is lawfully made available to the public by the consumer or from widely distributed media, or by the consumer.” The CPRA definition also includes “information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.”

For purposes of comparison, the additions unique to the CPRA are underlined:

“Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

In the initial draft of the CPRA ballot measure, comment 46 explained this change as “pre-emptively address[ing] First Amendment questions that have been raised.” This criticism was also raised during the CCPA rulemaking process, as documented in the appendices to the CCPA Final Statement of Reasons.

The practical consequence of this change could be significant for certain types of businesses. For example, personal information that a consumer makes publicly available on social media platforms could fit within the exception. Such information will not be subject to the CPRA’s consumer rights, including the right to deletion and right opt out of sales. It also is notable that the application of this exception is based on whether the business (as compared to the consumer) “has a reasonable basis to believe [the personal information] is lawfully made available to the general public by the consumer.”

Finally, while the expansion to exclude information reasonably believed to have been made public is echoed in the CPA and VCDPA, California remains unique in stating that “‘publicly available’ does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.” In our next post, we will analyze how each of the laws addresses biometric information.

Colorado (CPA)

Like the CPRA, the CPA addresses publicly available information as an exception to personal data. Under the CPA, publicly available information is “information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”

Virginia (VCDPA)

The VCDPA also excludes publicly available information in its definition of personal data, and separately defines publicly available information as: “Information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”

Consequence of the Variations

All three laws contain a broader understanding of publicly available information than what currently exists under the CCPA. The broader understanding includes information that a business or controller has a reasonable basis to believe has been made available to the general public by at least the consumer and, in the case of the CPRA and VCDPA, by the media or an unrestricted audience member of the consumer. The CPRA contains additional distinctions, particularly regarding collection of biometric data without the consumer’s knowledge. Overall, as compared to the CCPA, all three laws identify additional types of information outside the application of the statutes, which can significantly benefit businesses. For example, under these definitions, information posted on a public—i.e., nonrestricted—profile may qualify as publicly available information not subject to these laws.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Husch Blackwell LLP | Attorney Advertising

Written by:

Husch Blackwell LLP
Contact
more
less

Husch Blackwell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.