On February 7, 2020, California Attorney General Xavier Becerra published modified regulations for the California Consumer Privacy Act after reviewing the public comments received on the initial draft regulations. While the modified regulations provide some much-needed clarity, they also leave some notable gaps. One of those gaps is the lack of clear guidance on what it means for a piece of data to meet the definition of “personal information” because it can be “reasonably linked” to a particular consumer or household.
The question is an important one. The Act applies only to those entities that do business in California, collect consumers’ personal information, determine the purposes and means of processing that information, and meet one of three thresholds. One of those thresholds is that the business “annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
Given the magnitude of internet activity, that threshold may not be as high as it initially appears. Businesses routinely collect the IP addresses of visitors to their websites and can tell when those IP addresses are associated with a California user. If those IP addresses meet the definition of “personal information” and the business uses them for a commercial purpose, then, on average, only 140 Californians per day need to access the website for the business to meet the 50,000-consumer threshold. Yet the business may collect further personal information, such as a name and shipping address, from a much more limited subset of those visitors. For example, an e-commerce business may log hundreds of thousands of visits to its website from unique California IP addresses, but complete very few sales to California consumers. Consequently, whether the Act applies to that business may turn on whether the IP address information meets the definition of “personal information” under the Act.
The modified regulations include a paragraph that attempts to make a clarification on this point. That paragraph reads:
“Whether information is ‘personal information’ as that term is defined in [the Act], depends on whether the business maintains information in a manner that ‘identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.’ For example, if a business collects the IP address of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’”
That guidance, however, will not necessarily have privacy counsel sleeping easier, however, because it does little to illuminate the line between reasonable and unreasonable when it comes to linking an IP address or other information to a particular consumer or household.
Looking at other privacy laws can be instructive. Notably, for example, the definition of personal data under the General Data Protection Regulation does not contain a reasonableness requirement. Rather, it defines personal data as any information relating to an identified or identifiable person, and defines an identifiable person as “one who can be identified, directly or indirectly, in particular by reference to an identifier . . . .” Recital 26 of the GDPR, however, states:
“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”
Under this guidance, the Court of Justice of the European Union has held that IP addresses can be personal data in certain situations because the individual’s Internet Service Provider holds information that can link the IP address to the individual user. Therefore, data held by an entity may be personal data under the GDPR even if additional information needed to link that data to a particular individual is held by a third party.
While the guidance in the modified regulations is not entirely clear, it does speak in terms of information that the business maintains. It states that whether information is “personal information” depends on whether the business maintainsinformation in a manner that it could be reasonably linked to a particular consumer or household. And a fair reading of the example given in the modified regulations is that if a business collects an IP address and the business does not and cannot reasonably link that IP address with a particular consumer or household, then the IP address is not “personal information.” In contrast to the GDPR, this reading would suggest that information that can only be linked to a particular consumer or household by way of additional information held by a third party would not be “personal information” under the Act.
On the other hand, the definition of “personal information” in the Act itself is not business-centric. Rather, it includes in the definition of “personal information” information that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It contains no language to suggest that the business itself must hold the information required to do the linking. Moreover, the guidance in the modified regulations also states that information is “personal information” if the business reasonably can link it directly or indirectly to a particular consumer or household. This language suggests that information held by third parties may come into play.
Unlike the GDPR, the Act does not yet have the benefit of judicial interpretation. Is reasonableness a matter of cost in money or time in effort, no matter who has control over the additional information? Is it a matter of the degree of separation between the information received by the business and the information needed to link that information to a particular consumer or household? While the modified regulations give clarity to many areas of the Act, the courts will likely shape the contours of when a piece of information can be “reasonably linked” to a particular consumer or household, and therefore is “personal information” under the Act.