Employer CCPA FAQs #3: As used in the CCPA, do the terms “personal data,” and “personal information” mean the same thing?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction. These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program for employers that includes a formal gap assessment and tailored policies, procedures, and protocols to close identified gaps. Bryan Cave Leighton Paisner LLP has a team of knowledgeable lawyers and other professionals prepared to help employers address their obligations under the California Consumer Privacy Act. If you or your organization would like more information on this or any other employment issue, please contact an attorney in the Employment and Labor practice group.

Question #3: As used in the CCPA, do the terms “personal data,” and “personal information” mean the same thing? 

Not necessarily.

HR professionals who are responsible for bringing the employer into compliance with the CCPA need to know that there is no one definition of “personal information” or “personal data” and the meaning of those terms differs depending upon the context and the type of law at issue.

Only the term “personal information” is defined within the CCPA.  As is discussed in Q-2 that term refers to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”^[1]  That said, the term “personal data” is used instead of the term “personal information” within the CCPA’s definition of “processing” which is defined as “any operation or set of operations that are performed on personal data . . . .”^[2]  It is not clear whether the change in terminology was intended to impart some meaning or is a drafting oversight.  The latter appears to be the most plausible explanation, as the drafters of the CCPA likely copied the definition of “processing” from the GDPR (which has a near identical definition of “processing”) and forgot to replace the word “personal data” (a term used within the GDPR) with the term “personal information.”^[3]

The terms “personal data” or “personal information” are used in other statutes and regulations in very different contexts and with very different meanings.  For example, the term “personal information” is defined under several other states statutes as referring only to a person’s name in combination with a small sub-set of data fields viewed by legislators as being particularly sensitive.  For example, the state of Maryland defines the term as follows:

“an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable: (i) A Social Security number; (ii) A driver’s license number; (iii) A financial account number . . .; (iv) An Individual Taxpayer Identification Number.^[4]

We expect the California Attorney General will provide guidance on applying these terms through the CCPA rulemaking process.

[1] CCPA, Section 1798.140(o)(1)

[2] CCPA, Section 1798.140(p).

[3] Compare GDPR, Article 4(2).

[4] Maryland Commercial Code § 14-3501(d)(1).