CCPA Privacy FAQs: Does the Term “Personal Information” Within the CCPA Mean the Same Thing as the Term “Personal Data” Within the GDPR?

July 1, 2019

The term “personal information” is defined within the CCPA in a similar, but not identical, manner to the term “personal data” within the GDPR.  The following provides a side-by-side comparison of the two terms:

CCPA

Section 1798.140(0)(1)

GDPR

Article 4(1)

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household . . .

“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.


While courts and the California Attorney General have yet to provide interpretative guidance concerning the scope of “personal information” under the CCPA, or to indicate the extent to which they will interpret that term consistently with the interpretations made by European supervisory authorities of the term “personal data,” one potentially significant differentiator is the inclusion of the term “reasonably” in the definition.  A strong argument could be made that the inclusion of this word was intended to remove from the scope certain types of information which have been treated as “personal data” in Europe.  For example, while European regulators have suggested that data which is hashed, or salted and hashed, would still fall within the definition of “personal data” because there remains a theoretical possibility that the data could be re-identified,1 a California court could determine that such information falls outside the scope of the CCPA as it cannot be “reasonably” linked to a consumer.


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. See Article 29 Working party, WP 216: Opinion 05/2014 on Anonymisation Techniques at 20 (adopted on April 10, 2014).