A Glossary of Terms for Decoding CCPA/CPRA
June 28, 2021
Save valuable time when you trust our Bloomberg Law solutions to tackle complex legal tasks with ease.
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, creating an array of consumer privacy rights and business obligations related to the collection and sale of personal information. As the first comprehensive consumer privacy law in the U.S., the CCPA set the standard for the way many businesses are approaching privacy and data security.
Less than a year after the CCPA went into effect, California voters approved the California Privacy Rights Act (CPRA), which amends the CCPA. To help you navigate these significant changes to the data privacy landscape, Bloomberg Law offers the below glossary of key terms in the CCPA and CPRA, as defined by the texts of both laws.
[Download our Privacy Law FAQs for an informative look at the consumer data privacy laws changing business practices in the U.S.]
ADVERTISING AND MARKETING
A communication by a business or a person acting on the business’s behalf in any medium intended to induce a consumer to obtain goods, services, or employment.
An action that demonstrates the intentional decision by the consumer to opt into the sale of personal information. Within the context of a parent or guardian acting on behalf of a consumer under 13 years of age, it means that the parent or guardian has provided consent to the sale of the consumer’s personal information in accordance with the methods set forth in 11 CCR § 999.330. For consumers 13 years and older, it is demonstrated through a two-step process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.
AGGREGATE CONSUMER INFORMATION
Information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been deidentified.
The California Attorney General or any officer or employee of the California Department of Justice acting under the authority of the California Attorney General.
A natural person or a business entity registered with the Secretary of State to conduct business in California that a consumer has authorized to act on their behalf subject to the requirements set forth in [11 CCR] section 999.326.
An individual’s physiological, biological, or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
[Learn about biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), and how other state biometric privacy statutes compare.]
Any for-profit entity doing business in California (whether or not the business is actually based in California) that collects consumers’ personal information (or on whose behalf such information is collected) and that alone, or jointly with others, determines the purpose and means of processing that information, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million, as adjusted pursuant to Civ. Code § 1798.185(a)(5);
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives half or more of its annual revenue from selling consumers’ personal information.
Also, any entity that controls, or is controlled by, a business if it shares common branding.
The use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
- Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Mitigate Risk in Privacy and Data Security
On the frontier of privacy and data security, change happens. Map your strategy with Bloomberg Law’s essential privacy and data security news, expert analysis, and practice tools.
CALIFORNIA PRIVACY PROTECTION AGENCY
A state agency vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act.
CATEGORIES OF SOURCES
Types or groupings of persons or entities from which a business collects personal information about consumers, described with enough particularity to provide consumers with a meaningful understanding of the type of person or entity. They may include the consumer directly, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.
CATEGORIES OF THIRD PARTIES
Types or groupings of third parties with whom the business shares personal information, described with enough particularity to provide consumers with a meaningful understanding of the type of third party. They may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.
COLLECTS, COLLECTED, COLLECTION
Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
To advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.
For purposes of defining a business: “Common branding” means a shared name, servicemark, or trademark.
A natural person who is a California resident, as defined in 18 CCR § 17014, however identified, including by any unique identifier.
A person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business, provided that the contract:
- Prohibits the contractor from: (i) selling or sharing the personal information; (ii) retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract; (iii) retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business; and (iv) combining the personal information with personal information which it receives from or on behalf of another or collects from its own interaction with the consumer (subject to certain exceptions);
- Includes a certification made by contractor that the contractor understands the statutory restrictions and will comply with them, and
- Permits the business to monitor the contractor’s compliance at least once every 12 months.
For purposes of defining a business: “control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.
CROSS-CONTEXT BEHAVIORAL ADVERTISING
The targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts.
Subscribers Only: Privacy and Data Security Practice Center
Find the resources you need to stay up to date on the latest privacy and data security developments, from legislation trackers and practical guidance to workflow tools and state privacy profiles.
A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation.
Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information: (1) has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain; (2) has implemented business processes that specifically prohibit reidentification of the information; (3) has implemented business processes to prevent inadvertent release of deidentified information; (4) makes no attempt to reidentify the information.
DESIGNATED METHODS FOR SUBMITTING REQUESTS
A mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.
Any physical object that is capable of connecting to the internet, directly or indirectly, or to another device. Cal. Civ. Code § 1798.140(j).
Retirement, health, and other benefit programs, services, or products to which consumers and their dependents or their beneficiaries receive access through the consumer’s employer.
Personal information that is collected by the business about a natural person for the reasons identified in Cal. Civ. Code § 1798.145(h)(1). The collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose.
For purposes of defining a unique identifier or unique personal identifier, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody. Cal. Civ. Code § 1798.140(x).
A program, benefit, or other offering, including payments to consumers, related to the collection, deletion, or sale of personal information.
HEALTH INSURANCE INFORMATION
A consumer’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.
The introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,” or settings page, and any other location that allows consumers to review required notices, including, but not limited to, before downloading the application.
A person or group of people who: (1) reside at the same address, (2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.
The derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.
When the consumer intends to interact with a person, or disclose personal information to a person, via one or more deliberate interactions, such as visiting the person’s website or purchasing a good or service from the person. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a person.
A consumer under the age of 16. Different rules apply to consumers under the age of 13, and those between the ages of 13 and 16.
Advertising and marketing that is based solely on a consumer’s personal information derived from the consumer’s current interaction with the business, with the exception of the consumer’s precise geolocation.
NOTICE AT COLLECTION
The notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer as required by Civil Code section 1798.100(b) and specified in the regulations.
NOTICE OF FINANCIAL INCENTIVE
The notice given by a business explaining each financial incentive or price or service difference as required by Cal. Civ. Code § 1798.125(b) and specified in the regulations.
NOTICE OF RIGHT TO OPT-OUT
The notice given by a business informing consumers of their right to opt-out of the sale of their personal information as required by Cal. Civ. Code § 1798.120 and Cal. Civ. Code § 1798.135 and specified in the regulations.
A consumer right, exercisable at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.
An individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Any categories of personal information described in Civ. Code § 1798.80(e).
- Characteristics of protected classifications under California or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
“Personal information” does not include publicly available information. “Personal information” does not include consumer information that is deidentified or aggregate consumer information.
Any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.
PRICE OR SERVICE DIFFERENCE
Any difference in the price or rate charged for any goods or services to any consumer related to the collection, retention, or sale of personal information, including through the use of discounts, financial payments, or other benefits or penalties; or any difference in the level or quality of any goods or services offered to any consumer related to the collection, retention, or sale of personal information, including the denial of goods or services to the consumer.
The policy referred to in Cal. Civ. Code § 1798.130(a)(5); the statement that a business shall make available to consumers describing the business’s practices, both online and offline, regarding the collection, use, disclosure, and sale of personal information, and of the rights of consumers regarding their own personal information.
The identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
Any form of automated processing of personal information, as further defined by regulations, to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
The processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
For purposes of defining personal information, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
Subscribers Only: CCPA vs. CPRA
Use our tables to compare the texts of the California Consumer Privacy Act (CCPA), which was signed into law on June 28, 2018, and the California Privacy Rights Act (CPRA), which significantly amends the CCPA.
REQUEST TO DELETE
A consumer request that a business delete personal information about the consumer that the business has collected from the consumer.
REQUEST TO KNOW
A consumer request that a business disclose personal information that it has collected about the consumer. It includes a request for any or all of the following: (1) specific pieces of personal information that a business has collected about the consumer; (2) categories of personal information it has collected about the consumer; (3) categories of sources from which the personal information is collected; (4) categories of personal information that the business sold or disclosed for a business purpose about the consumer; (5) categories of third parties to whom the personal information was sold or disclosed for a business purpose; and (6) the business or commercial purpose for collecting or selling personal information.
REQUEST TO OPT-IN
The affirmative authorization that the business may sell personal information about the consumer required by a parent or guardian of a consumer less than 13 years of age, by a consumer at least 13 and less than 16 years of age, or by a consumer who had previously opted out of the sale of their personal information.
REQUEST TO OPT-OUT
A consumer request that a business not sell the consumer’s personal information to third parties.
Scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer‘s interactions with a business‘s service or device for other purposes shall be: (1) compatible with the business purpose for which the personal information was collected; (2) subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer; (3) made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain; (4) subject to business processes that specifically prohibit reidentification of the information; (5) made subject to business processes to prevent inadvertent release of deidentified information; (6) protected from any reidentification attempts; (7) used solely for research purposes that are compatible with the context in which the personal information was collected; (8) not be used for any commercial purpose; (9) subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
SECURITY AND INTEGRITY
The ability (1) of a network or an information system to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information; (2) to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions, and to help prosecute those responsible for such actions; and (3) a business to ensure the physical safety of natural persons.
SELL, SELLING, SALE, SOLD
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
A business does not sell personal information when:
- A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
- The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
- The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
- The business has provided notice of that information being used or shared in its terms and conditions consistent with Civ. Code § 1798.135.
- The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
SENSITIVE PERSONAL INFORMATION
Personal information that reveals:
- a consumer’s social security, driver’s license, state identification card, or passport number
- a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- a consumer’s precise geolocation
- a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
- the contents of a consumer’s mall, email and text messages, unless the business is the intended recipient of the communication
- a consumer’s genetic data
Sensitive personal information also includes:
- the processing of biometric information for the purpose of uniquely identifying a consumer
- personal information collected and analyzed concerning a consumer’s health
- personal information collected and analyzed concerning a consumer’s sex life or sexual orientation
Sensitive personal information that is “publicly available” shall not be considered sensitive personal information or personal information.
Work, labor, and services, including services furnished in connection with the sale or repair of goods.
A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer‘s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
SHARE, SHARED, SHARING
Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer‘s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
Written attestation, declaration, or permission has either been physically signed or provided electronically in accordance with the Uniform Electronic Transactions Act, Cal. Civ. Code § 1633.1 et seq.
A person who is not any of the following:
- The business that collects personal information from consumers under this title.
- A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
- Prohibits the person receiving the personal information from:
- Selling the personal information
- Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
- Prohibits the person receiving the personal information from:
- Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
- Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (2) and will comply with them.
THIRD PARTY IDENTITY VERIFICATION SERVICE
A security process offered by an independent third party that verifies the identity of the consumer making a request to the business. Third party identity verification services are subject to the requirements set forth in 11 CCR Article 4 regarding requests to know and requests to delete.
UNIQUE IDENTIFIER, UNIQUE PERSONAL IDENTIFIER
A persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
VALUE OF THE CONSUMER’S DATA
The value provided to the business by the consumer’s data as calculated under 11 CCR § 999.337.
VERIFIABLE CONSUMER REQUEST
A request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General, to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer if the business cannot verify that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.
To determine that the consumer making a request to know or request to delete is the consumer about whom the business has collected [personal] information, or if that consumer is less than 13 years of age, the consumer’s parent or legal guardian.
- What Is the VCDPA?
- The Evolution of Biometric Data Privacy Laws
- Tracking Privacy Legislation by State
- CCPA vs CPRA: What’s the Difference?
- Mitigate Risk in Privacy and Data Security
- Subscribers Only: Privacy and Data Security Practice Center
- Subscribers Only: CCPA vs. CPRA
- Download: 2022 Outlook on Privacy and Data Security
- Webinar: Pivoting Post-Disruption – the Latest Moves for Privacy Compliance
- Five Subtle Ambiguities in Virginia’s New Privacy Law