On February 7, 2020, California
Attorney General Xavier Becerra published modified
regulations for the California Consumer Privacy Act after reviewing the
public comments received on the initial draft regulations. While the modified regulations provide some
much-needed clarity, they also leave some notable gaps. One of those gaps is the lack of clear
guidance on what it means for a piece of data to meet the definition of
“personal information” because it can be “reasonably linked” to a particular consumer
or household.
The question is an important
one. The Act applies only to those entities
that do business in California, collect consumers’ personal information,
determine the purposes and means of processing that information, and meet one
of three thresholds. One of those
thresholds is that the business “annually buys, receives for the business’s
commercial purposes, sells, or shares for commercial purposes, alone or in
combination, the personal information of 50,000 or more consumers, households,
or devices.”
Given the magnitude of internet
activity, that threshold may not be as high as it initially appears. Businesses routinely collect the IP addresses
of visitors to their websites and can tell when those IP addresses are
associated with a California user. If
those IP addresses meet the definition of “personal information” and the
business uses them for a commercial purpose, then, on average, only 140
Californians per day need to access the website for the business to meet the 50,000-consumer
threshold. Yet the business may collect further
personal information, such as a name and shipping address, from a much more limited
subset of those visitors. For example,
an e-commerce business may log hundreds of thousands of visits to its website
from unique California IP addresses, but complete very few sales to California
consumers. Consequently, whether the Act
applies to that business may turn on whether the IP address information meets
the definition of “personal information” under the Act.
Read more ›