CCPA vs. California Breach Notification Law: What’s the Difference?

Now that spring is here, the July 1 enforcement date for the California Consumer Privacy Act (CCPA) is closing in. Companies covered under the CCPA, therefore, only have a short time to get ready before enforcement kicks in.

However, for many organizations—especially in ad tech—confusion has been the name of the game. Two big issues are determining what counts as a sale of data and verifying consumer identities to comply with their requests to opt-out of the sale of, delete, or get access to their personal information.

A third issue dozens of trade associations recently raised is the operational impact from the coronavirus pandemic, which they fear will delay the ability to be in full compliance by July 1. They are asking California to delay enforcement until Jan. 2, 2021.

Breach Notification Under the CCPA

As the enforcement deadline approaches—be in July or next January—, another question looms large:

What are your breach notification obligations under the CCPA?

The answer to this question is actually the answers to several questions, so we thought a Q&A would be helpful:

Q: Could a breach of personal information under the CCPA trigger breach notification obligations to affected individuals?

A: Yes. The CCPA leverages breach notification obligations that exist under the state’s general breach notification statutes.

Q: How do California’s general breach notification statutes define personal information?

A: Among other things, personal information is defined as an individual’s name in combination with any one or more of the following data elements:

• Social Security number
• Driver’s license number or another government-issued identification number
• Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
• Medical or health insurance information
• Biometric data
• Information or data collected through the use or operation of an automated license plate recognition system
• A username or email address, in combination with a password or security question and answer that would permit access to an online account

Note that this definition is narrower than the CCPA’s general definition of personal information, but broader than the definition of personal information specified in the CCPA’s private right of action provision.

Q: How does the CCPA define personal information?

A: Personal information under the CCPA means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Q: What is the scope of personal information specified in the CCPA’s private right of action provision?

A: As specified in the CCPA, a private right of action applies to a narrow subset of the statute’s broad general definition of personal information. Among other things, personal information is specified as a person’s name in combination with any one or more of the following data elements:

• Social security number
• Driver’s license number or another government-issued identification number
• Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
• Medical or health insurance information
• Biometric data

Q: What are the differences between the definitions of personal information under the breach notification statutes and the CCPA’s private right of action?

A: There are three main differences:

1. The general breach notification statutes exclude encrypted data from the definition of personal information, while the definition of personal information specified by the CCPA’s private right of action excludes both encrypted and redacted data.
2. The general breach notification statutes specify information or data collected through the use or operation of an automated license plate recognition system. The scope of information specified by the CCPA’s private right of action does not.
3. The scope of information specified by the CCPA’s private right of action does not include a username or email address in combination with a password or security question and answer that would permit access to an online account.

One critical takeaway from these differences is that an entity could experience a breach of personal information that would require notification under the state’s general breach notification statutes, but would not be subject to a private right of action under the CCPA.

Cutting the Confusion out of Compliance

Mahmood Sher-Jan, RadarFirst’s CEO and founder, once said, “Achieving compliance is a marathon, not a sprint!” For privacy professionals concerned with California’s breach notification laws and the CCPA, compliance is like running a marathon—in a maze! The varying definitions of personal information under each statute is confusing at best.

Fortunately, you don’t have to navigate the complexities of compliance alone. RadarFirst offers resources galore to keep you on track:

• Keep up on the latest laws with RadarFirst’s global breach law library.
• Use best practices in privacy incident response.
• Get your team in shape. Use the Privacy Team Tabletop Exercise to evaluate your team’s privacy incident response readiness.

One thing is certain

Privacy laws are always evolving, and unforeseen crises such as the coronavirus pandemic only add to the stress and confusion.

To help privacy professionals in their never-ending quest for compliance—and to protect individual rights to privacy in uncertain times—Radar’s regulatory team monitors legislation that could impact the CCPA, California’s general breach statutes, and other relevant laws around the world. It’s a job we’re proud to do.