CCPA “Specific Pieces” Requests Can Dig Deep Into a Business’ Data
Consumers Can Make “Specific Pieces” Requests
Under the California Consumer Privacy Act (CCPA), a CA consumer can request and a business must disclose “specific pieces” of personal information (PI) collected about that consumer. CCPA Sections 1798.100, 110.
When a consumer today asks a company for whatever personal information the company has, the company is most likely going to present a limited set of things like the consumer’s account information and perhaps some user content. Is the consumer entitled to more? Yes.
Personal Information is Defined Very Broadly
‘“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. …’ Cal. Civ. Code § 1798.140 (o).
Information that is Not Personal Information
The CCPA (CCPA § 1798.140 (o) (2), (3)) specifically excludes some things from personal information:
- Information that is lawfully made available from federal, state or local government records
- Deidentified consumer information
- Aggregated consumer information
Examples of Personal Information
The CCPA provides a non-exhaustive set of examples of personal information:
- Postal Address
- Unique personal identifier
- Online identifier
- Internet protocol (IP) address
- Email address
- Account name
- Social Security Number
- Driver’s license number
- Passport number
- Or similar to above
- Customer Records
- Characteristics of protected classifications
- Commercial information, including purchases and purchasing history
- Biometric information
- Internet or other network activity information
- Geolocation data
- Sensory information
- Professional or Employment related
- Education information
- Inferences drawn from any of this info to create profile reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
It bears repeating that this list is only a list of examples, it is not exhaustive. Many more things are included in personal information.
Specific Pieces Request Not Limited As Are Categories Requests
There is an important difference between requests for categories and requests for specific pieces. Requests for categories are limited to categories of personal information, sources and 3rd parties. Specific pieces are not limited to categories. If the name of a source or 3rd party is within specific pieces of personal information related to a consumer, then the consumer is entitled to ask for it. For example, if the identity of a source or 3rd party is within the transaction metadata related to the consumer, then arguably a business must disclose not only the category but the name of the source or 3rd party as a specific piece of personal information.
A Closer Look at the Personal Information Definition
Let’s take a closer look at the definition of personal information to learn what more might be included.
Information is data that is processed, organized, structured or presented in a given context so as to make it useful. Note that the CCPA does distinguish between data and information, specifically in the section about the value of data to a business (e.g., CCPA § 1798.125 (b)).
Information can be personal information in 5 different ways, when it:
“…identifies, … directly or indirectly … a particular consumer or household.”
Can a particular consumer or household be identified? Examples would be name, postal address, email address, and unique personal identifiers.
“…relates to, … directly or indirectly … a particular consumer or household.”
Does the information relate to a particular consumer or household? Examples might include pictures of pets in a social media profile. By itself, a picture of a cockerpoo may not identify a consumer or household, but it can easily be associated with a consumer if it appears in the consumer’s social media profile. Other examples might be pictures of a household, on line reviews, browsing history, location history, etc.
“…describes, … directly or indirectly … a particular consumer or household.”
Does the information describe a particular consumer or household? An example of information that describes a consumer would be a profile, such as is used for targeted advertising or marketing.
“…is reasonably capable of being associated with, … directly or indirectly … a particular consumer or household.”
Is the information reasonably capable of being associated with a particular consumer or household? IP addresses are reasonably capable of being associated with a particular consumer or household, especially if triangulated with time and browsing history.
Example – Communication Metadata
Communications metadata is category of data that is reasonably capable of being associated with a consumer or household. After all, a message, such as a text or email will not reach the intended recipient if the recipient cannot be accurately identified. Communications metadata includes such things as phone number, device, sender, origin, IP address, time, type, routing, duration, longitude and latitude, format, protocol, terminating network, email address, attachments, and recipient.
Example – Advertising Transaction Data and Metadata
The same analysis could be applied to advertising transaction and metadata. The targeted advertising industry makes a lot of money because targeted ads land in front of identified consumers. Is the identity of an advertiser reasonably capable of being associated, directly or indirectly, with a particular consumer or household? Yes, via the advertising transaction data and metadata. Could the identity of losing bidders in real time bidding transactions be reasonably capable of being associated, directly or indirectly, with a particular consumer or household. Yes, again via the transaction and metadata. A curious consumer might request to know which companies (i.e., “specific pieces’) have been bidding to buy the consumer’s advertising profile.
“…could reasonably be linked, … directly or indirectly … a particular consumer or household”
Could the information reasonably be linked to a particular consumer or household? Businesses frequently link (or “join”) datasets together to enrich the information they have in order to do such things as better target marketing. They can link internal datasets, such as joining a customer relationships management (CRM) dataset to sales, advertising or marketing datasets. External data sets (such as geospatial data, natural resource data, satellite imagery, economic data, real estate market data, etc.) can be imported and linked to particular consumers or households.
What is Reasonable Association or Linkage?
Data Sets are Often Easily Joined
In the last two cases, take special note of the language “reasonably capable” of being associated and “could reasonably” be linked. It is often fairly easy to link two or more datasets within a database or even from two or more different databases. Generally all that is needed is some common key between the data sets. A key can be unique data, such as a GUID or item ID, but many data fields can act as keys. Phone numbers, email addresses, names, etc., can be used as keys. Sometimes keys are composed of multiple fields of data. Joins of dataset might not perfectly join data in both datasets, but can often join large sections of data sets together. These sorts of joins are “reasonable” because they are fairly easy to do. For example, if a business has a CRM dataset, a member rewards dataset, customer purchase history, customer profiles, a marketing dataset and an advertising analytics dataset, that might be joined with pseudonyms or online identifiers as keys, then the larger joined set would be personal information, and might be subject to specific pieces requests.
Data Associations or Links are Continually More “Reasonable” Because of Artificial Intelligence
Have you ever purchased something online only to be instantly presented with something else you might want to buy? “People who bought those cross country skis also bought this ski parka.” With each additional purchase a company can use machine learning, deep learning, or predictive analytics to associate something else to the purchaser. The same thing can be done with clicks, views and advertising. Artificial intelligence (AI) is widely available and “reasonable” to use in associating or linking datasets. Machine learning is relatively common now. With every click on a web page a business can learn more about consumers. With every question to a digital assistant, the assistant company learns more about consumers. In essence, the amount of personal information that businesses have about consumers continually grows because AI continually learns about things associated with consumers.
The Possibility of Association or Linkage is Enough
Note also that the join need not have actually happened because the CCPA only requires the possibility of association or link (“capable” and “could”). The mere possibility of association or linkage creates personal information. A company that maintains data in different departments is going to have to add them to the overall data map, include a data dictionary for each and then do an assessment to see if joining (e.g., with keys) is possible. Even if a business is not currently using reasonably applicable and available technology, such as artificial intelligence, to associate data, it is held to the potential of doing so.
More Probable Than Not Identification.
The CCPA says ‘“Probabilistic Identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information’ Cal. Civ. Code § 1798.140 (a). The CCPA does not use the term “probabilistic identifier” anywhere else. Nevertheless, if it is to be given meaning, the inference is that a mere “more probably than not” standard is to be used when determining if a consumer or household might be identified. This is a very low bar. One study has shown that 87% of Americans can be identified with just gender, zip code and age. While updating the data map businesses should consider whether data sets can be joined using any probabilistic identifiers as keys. This analysis will probably greatly increase the surface area of personal information subject to specific pieces requests.
Personal Information Need Not be Personal.
Personal information includes any information that relates to a household, such as an address, an IP address or other online identifier used in a protocol to identify a modem or router for a household. Businesses need to add households to their data maps and apply all the foregoing analysis to households as well as individual consumers.
Specific Pieces Requests Can Dig Deep Into a Business’ Data
The upshot for consumers is a great amount of power for consumers to reach deep into the data of a company and get specific pieces of personal information not previously available. This is a very powerful tool, almost a privacy super-power, put into the hands of consumers to force the transparency of businesses who collect information about consumers.