Am I My Device? According to CCPA, Yes
When the alarm wakes me up, I reach for my mobile phone and check email. Next, I strap on my smartwatch. Over breakfast, I read the news on my tablet while Alexa plays some tunes. I join a conference call while driving to work and spend much of the day on my laptop. When I return home, the thermostat adjusts to my presence while I check out what my FireTV recorded.
Sound familiar? Almost 20% of Americans are just as hyperconnected, meaning they live in a household with 10 or more connected devices. The median household contains five, according to the Pew Research Center. In each one, multiple computers, shared media, work devices, and personal devices are constantly collecting and aggregating data.
How Will CCPA Treat Data Collected by Devices?
Understanding the nexus of individuals and the various devices they use will be key to preparing to meet operational requirements of the new California Consumer Protection Act (CCPA). As the Internet of Things (IoT) brings more connected devices into our lives, more personal data will be collected and aggregated.
CCPA is designed to increase transparency about how companies collect, process, share and sell personal information. Under CCPA, “personal information” is defined to mean, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Let’s Unpack that Wording to Explore How CCPA Takes Devices into Account.
Each phrase within the definition above sparks questions the California Attorney General will need to address in order to determine if companies adhere to the letter – and the spirit – of the law.
- The inclusion of “household” data stretches the concept of personal information and requires clarification. Sure, my personal phone and smartwatch are tied to me. But, streaming and shopping services could be related to a household. And, what about a work-issued cell phone that may be used on a temporary basis? In their inventory and classification schema, companies will need to consider how data may be tied to an individual, device and/or household.
- “Relates to” is potentially all-encompassing. Companies may need to widen the net to collect more information in their data inventory. Personal information may include not only “objective” information (e.g. social security numbers, credit scores, the presence of a certain substance in one’s blood) but also “subjective” information (e.g. opinions, assessments, preferences indicated by online behavior). CCPA includes “audio, electronic, visual, thermal, olfactory, or similar information” under the definition of personal information, which directly impacts a number of IoT devices.
- “Technical identifiers,” which includes things like connected devices, IP addresses, and network activity, are recognized as potentially PI and need to be classified in a company’s data inventory.
- “Inferred data” can become PI when linked or aggregated with other data. Using the online advertising ecosystem as an example, CCPA obligations apply to much of the information collected and used by marketing automation systems, website publishers, ad buying and selling platforms, and other technologies which businesses in the online ecosystem use to target customers.
- All sorts of information is “capable of being associated with” an individual. Even if a business is currently not aggregating data, it may in the future. Companies will need to decide how they will inventory and disclose information that may require analysis (e.g. data about the functioning of a device where human intervention is required). The key unanswered question is what kind of diligence will be expected for a company to identify, classify and analyze data for its intended – or potential – purpose.
A “Living” Law Built to Evolve as Technologies Change
In our recent CCPA roundtable discussion, data privacy advocate Alastair Mactaggart explained why the authors intentionally left so much room for interpretation. As he points out, past privacy regulations became out-of-date quickly because they couldn’t keep pace with changing technologies and data processes. Data privacy discussions even five years ago didn’t anticipate the proliferation of data-consuming IoT devices that surround us today, both at home and at work.
In contrast, CCPA has been called a “living law.” The goal is to continue to protect consumer privacy and enable people to control what happens to their data, even as more devices are invented and data analysis becomes more sophisticated.
To keep pace, companies need to develop data privacy programs with the flexibility to identify and classify both people and their devices. They need to anticipate potential future uses of data they collect and prepare to share that information with consumers.