(1) IP Addresses Can Somehow Escape from Being Personal Information
New text of the regulation:
§ 999.302. Guidance Regarding the Interpretation of CCPA Definitions
(a) Whether information is “personal information,” as that term is defined in Civil Code section 1798.140, subdivision (o), depends on whether the business maintains information in a manner that “identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” For example, if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”
It is an understatement to say that a lot has happened in privacy law during the past decade. Here is my list of the most notable developments.
NOTE: I am giving a particular emphasis to what I find to be notable from a United States perspective. What is notable privacy law depends upon where one is situated. For example, if one is from a small country, that country’s developments are quite notable even if not well-known on a worldwide stage.
This cartoon depicts the travails of complying with the CCPA as it rapidly evolves. The CCPA originated when a referendum regarding consumer privacy rights was scheduled to be on the ballot in November 2018. Alastair Mactaggart, the referendum’s sponsor, offered to withdraw it if California passed a law. So, in the summer of 2018, the California legislature passed the CCPA in an all-out dash to beat the deadline for the referendum’s withdrawal
Businesses scrambled to get ready to comply for the CCPA’s effective date – January 2020. Being ready to comply with the CCPA requires quite a lot of work. Further complicating compliance, the CCPA is riddled with ambiguities and difficult tradeoffs between privacy and data security.
This cartoon depicts the challenges of multi-jurisdictional privacy law compliance. In 2018, organizations scrambled to comply with the GDPR. In 2019, businesses are scrambling to comply with the California Consumer Privacy Act (CCPA). And, there will be a new referendum on privacy law in California next year — CCPA 2.0. There’s a flurry of legislative activity in the states on privacy — IAPP has a great chart tracking what is going on. And, each year, more and more countries are passing new comprehensive privacy laws.
We are witnessing the growing pains of privacy law. Privacy wasn’t adequately regulated for too long, and now the concerns are festering, sparking a rush to action. In the US, state legislation on privacy will continue until the concerns are allayed. A thoughtful and powerful federal law could weaken the enthusiasm for states to jump into the fray, but this is a challenge with Congress as polarized as it is.
This cartoon is about data subject access requests (DSARs) — sometimes called “subject access requests” (SARs). The GDPR Article 15 provides for DSARs. The new California Consumer Privacy Act (CCPA) provides individuals with a right to learn about the personal data collected and shared about them over the past 12 months.