Understanding the CCPA, part 3

What kind of data is covered?

Published on

The California Consumer Privacy Act applies to “personal information” of a consumer, broadly defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[1] Data covered includes, but is not limited to, traditional identifiers like name, postal address, email address, driver’s license numbers, and social security numbers. It also personal characteristics such as age, race, or national origin; commercial information such as records of purchases of goods or services; biometric data; Internet or other electronic network activity; geolocation data; professional or employment-related data; and education information. However, “publicly available information,” defined as information lawfully made available from federal, state or local government records.[2]

For purposes of the law, “consumer” is defined as a natural person who is a resident of California.[3] Therefore the law will not apply to businesses or other entities that are not natural persons. More importantly, the law will not apply to people who do not reside in California, even if they purchase products and services in California or from California businesses.

An important point is that the covered personal information must be associable with a customer. “Aggregate consumer information,” defined as information about a group or category of customer from which individual consumer identities have been removed, is not personal information.[4]

Similarly, information that has been “deidentified,” defined as information that cannot reasonably identify, relate to, describe, or be associated with a particular customer, is also not covered by the law, so long as the business meets four important conditions.[5] These are that the business: 1) has implemented technical safeguards to prohibit reidentification; 2) has implemented policies prohibiting reidentification; 3) has implemented processes to prevent reidentification; and 4) makes no attempt to reidentify the information.

The majority of auto dealership customer data likely falls within the very broad definition of personal information and therefore will fall under the protection of the law. However, dealers should understand the exceptions for aggregate consumer information and deidentified information. This kind of data can be a powerful tool, particularly when used to develop marketing campaigns. It may also become more central to manufacturer data demands in the future.


[1] 1798.140(o)(1).

[2] 1798.140(o)(2).

[3] 1798.140(g).

[4] 1798.140(a).

[5] 1798.140(h).