The most important part of a privacy law are the definitions. Get them wrong and the rest of the statute doesn’t mean much.[1] California has a fancy new privacy law, CCPA, but the latest draft regulations from the office of Attorney General Becerra puts forth a ridiculous interpretation of the law’s core definition.

The short version 

Suppose a free adult video site, IPporn, logs every video watched along with the associated IP address. It stores no other session or user information. Under the most obvious reading of the new draft CCPA regulations, the log would not constitute personal information. IPporn could, for example, tweet out every IP/video record publicly. This is bad.

You can submit comments to the AG here. The deadline is February 25, 2020 at 5:00 pm PST.

Defining “personal information”

The law governs the use of “personal information.” Let’s look at the definition.

• 1798.140(o)(1): “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Under this definition, personal information definitely includes information that “could reasonably be linked” with a particular household. No question about it.

The AG enforces CCPA and is working on regulations to clarify many of its provisions. The first draft of the regulations didn’t have any additional guidance on the definition of personal information. The second draft, posted a couple weeks ago, adds the following paragraph, under the heading “Guidance Regarding the Interpretation of CCPA Definitions.”

• 999.302(a) Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”

Problems

The draft regulation’s definition is so frustratingly wrong. Its two sentences have three serious problems.[2]

1. The draft regulation distinguishes between what a specific business can do with data and what can be done with data more generally. The original definition demands protection of information if it can be reasonably linked with a particular household by anybody. In contrast, the draft regulation only requires protection of information if it can be reasonably linked by the business. It suggests that to free personal information from CCPA protection, a business doesn’t have to make the information less identifiable, but to handicap its own identification capabilities.

This is something industry critics of CCPA (who want to weaken the law) have been begging for. Their argument is that you can’t expect every mom-and-pop data company that peddles in the personal information of 50,000 people annually to be able to figure out what leet MIT hackers can do with data. That argument makes some sense, and it’s clear that a lot is riding on the meaning of “reasonable” in CCPA’s definition of personal information.

However, this distinction yields a nonsensical policy. For example, CCPA makes it illegal for a business to publicly tweet its users’ personal information. But if the business can’t reasonably link it to a household, then it’s not personal information. And if it’s not personal information, CCPA doesn’t apply. Tweet away. Of course, what should matter from a policy perspective is what the recipients of that information—anybody on the internet—can do with it.

Maybe I’m reading it wrong. That can’t be what they mean, right? Wrong!

2. Wrong, because they illustrate their point with the worst possible example: IP addresses! A typical household’s IP address (say, on a family desktop) stays the same for months or years at time. During that period, every webpage they visit sees the IP. If anything “could reasonably be linked to a specific household,” it’s an IP address. But the draft regulation makes clear that it’s possible for IP addresses to not be personal information. If the business doesn’t keep around other information needed to link the IP address to the household (it’s hard for me to write that phrase it’s so vacuous), then the data is free from CCPA.

3. Personal information no longer includes all information that could reasonably be linked with a particular household. It only includes information that is “maintained in a manner that could be reasonably linked” with a particular household. Compare with the statute’s language. The new definition regulations focus the definition of personal data on the form of the data: how it’s maintained. It sidelines the power of the data: what can be done with it. For a data privacy regulation, this is backwards: the power of data, not its form, is what matters.[3]

~ ~ ~

Let’s go back to our adult video site IPporn. If the IP/video log doesn’t fall under the new exception established in the draft regulation, I don’t know what does. According to the regulation, it’s not personal information and IPporn can do whatever they want with it. Like tweet it. Like I said, this is bad.

---

Footnotes

[1] Once I was a judge for a class’s privacy law final project competition. The students were from two universities: half (mostly) CS students and half law students. The teams got up and presented their projects, proposing statutory language for a new privacy law of one sort or another. I asked 3 groups the same question. “A convenience store has a security camera at the front door to film customers as they walk in and out. As a side effect, the camera also records passersby that don’t walk in the store. Is the footage of passersby covered by your law?” None of the groups were ready give a convincing answer one way or the other.

[2] Also, they misquote the statute. The regs change “could reasonably be linked” to “could be reasonably linked.” My first impression is that those might mean different things. I only noticed the change when rereading the post.

[3] I’ve made this point before in a post for Protego Press. That piece focuses on some subtleties in the law’s definition of “probabilistic identifiers” and calling for regulatory clarification. I submitted a comment to the AG with specific language (buried somewhere in the 7-part comments here). I’m not surprised that the comment had no effect. Regulators, lawyers, and companies are just wrapping their heads around CCPA as a whole, not worrying about whether a seemingly minor definition in the law is written exactly right. (It’s not minor and not close to right.) But the new regulations are so much worse, enshrining the worst interpretation of the ambiguous definition of probabilistic identifier as the main definition for personal information. Oy.