I have always been fascinated with how words get their meanings. Many legal disputes stem from disagreements of word definitions. Anytime new laws are passed it is important to know the laws and also know what the key words mean and how they will affect how we do business. Fortunately the California Consumer Privacy Act had a built in glossary to help us avoid future confusion. We will go through a a couple of these terms that might not be used regularly but nonetheless should become part of your vocabulary.
“Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer
identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.
“Biometric information” means an individual’s physiological, biological or behavioral characteristics.
“Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated
for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal
information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
“Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be
linked, directly or indirectly, with a particular consumer or household. does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.
"Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information.
"Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
As you can see many of the legal definitions are very broad. Unfortunately this will create a regulatory environment that will slow business down because of fear of non-compliance. The insurance industry is reliant on clients and prospects giving their personal information. Many times this information is not properly protected which is why I feel the insurance industry is going to be hit really hard when CCPA gets fully enforced.
If we look at GDPR as an predictor of what is to come the signs are ominous. The cost of doing business is going to increase and innovation and efficiency will be the victims of overzealous laws. I am all for accountability and transparency but not when the enforcement is performed by regulators who are not prepared to help us comply with burdensome laws.
