Answer ... As the protections afforded by state statutes vary from one state to another, there is no uniform set of definitions across all states or all regulations. Under the California Consumer Privacy Act (CCPA), the most comprehensive state privacy law which has served as a model for other state privacy laws, the terms are defined as follows.
(a) Data processing
Under the CCPA, ‘processing’: Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means.
(b) Data processor
Under the CCPA, a ‘service provider’: Any for-profit entity that processes personal information on behalf of a covered business.
(c) Data controller
Under the CCPA, a covered ‘business’: Any for-profit entity that:
- does business in California;
- collects (or has collected on its behalf) personal information of California residents and determines the purposes and means of the processing of that personal information; and
- meets certain thresholds of gross revenue or amount of personal information collected.
(d) Data subject
Under the CCPA, ‘consumer’: All California residents, even if they are temporarily outside of the state (eg, on vacation). This definition does not cover visitors to California.
(e) Personal data
Under the CCPA, ‘personal information’: Information that identifies, relates to, describes or is reasonably capable of being associated with a particular consumer or household, including (but not limited to):
- personal identifiers (eg, name, postal address, email address, online IP address, social security number);
- internet activity information; and
- employment, educational and commercial information.
(f) Sensitive personal data
The CCPA does not distinguish sensitive personal data from personal information. The protection of specific classes of sensitive personal information (eg, health data, financial data and data of children) is governed by sector-specific state and federal laws.
‘Consent’ is not defined under the CCPA and requires further guidance from the attorney general.
Answer ... Under the CCPA, consumers have the right to opt-out of the sale of their personal information. A ‘sale’ or ‘selling’ is broadly defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.
‘Aggregate consumer information’, ‘de-identified’, ‘probabilistic identifier’, ‘pseudonymise’ and ‘pseudonymisation’ are all defined terms under the CCPA, relating to the degree to which data can identify a person.
‘Biometric information’ is expansively defined in the CCPA as “an individuals’ physiological, biological or behavioural characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity”. Listed examples include:
- imagery of the iris, retina, fingerprint, face, hand, palm or vein patterns;
- voice recordings;
- keystroke patterns or rhythms;
- gait patterns or rhythms; and
- sleep, health or exercise data that contains identifying information.