What is “Personal Information”?

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 41 minutes
Difficulty
Intermediate
CEU/CPE
5
Video Transcription
00:00
Hello, everyone, and welcome to Lesson 2.3.
00:03
What is personal information? There is a lot to cover in this lesson, so let's jump right in
00:09
learning goal and objective Number one,
00:12
we will review the definition of personal information. A huge red flag of caution.
00:17
The definition of personal information in California is different than the definition of personal data or personal health information or, frankly, any other law that you might have come across.
00:27
This only applies to the C C P. A. And again please contrast this with the GDP are because the definition of personal data under the European model is different
00:37
learning goal and objective to
00:39
We will review personal information and try to apply it to Rhea World Businesses
00:46
Learning Goal Objective Number three
00:48
If you've been keeping track, personal information is generally viewed as the third factor in determining whether or not a business is subject to the C C P A.
00:56
If at any time in the near future, you are at a meeting or on an email threat where your business is trying to figure out if it is subject to the c, C. P. A or not go through these three factors
01:07
Lesson one, where we discuss the business model
01:08
number two, the geography and number three, which we will get into now.
01:14
What is personal information?
01:18
The C C. P. A. Is designed to protect consumers.
01:21
Personal information means that that information identifies or is reasonably linked or is able to be associate ID with a particular consumer or household
01:30
heads up
01:30
personal information if it belongs to just the household in general. But maybe not underlying people. I'm thinking along the lines of Amazon Alexa and information that those devices collect.
01:41
That's also within the scope of the C C p A.
01:44
But normally its particular individuals.
01:49
Here are some riel world examples of personal information.
01:53
First name,
01:53
last name, phone numbers, emails I p addresses, by the way, yes, you might say that identifies a device,
02:01
not one person, but we normally know which individuals used which devices.
02:07
All that is to say these items fall within the scope of personal information because I can look at these items
02:14
and know who they belong to.
02:16
If someone gives me their name now I know who that person is. If I obtain an individual's biometric information, I can use that information to identify which specific consumer or if it's a group of household members. Maybe a household in general is subject to the data set that I'm looking at.
02:37
I also need to take a quick moment to identify for you that second generation personal information is also subject to the C C. P. A.
02:45
Any inferences that your business might be making from personal information that it collects to create a secondary profile in a consumer is also subject to the CCP A. It doesn't, by the way, even need to be accurate
02:57
if you are in the ice cream industry and you identify that a group of people really like chocolate ice cream. And there are people in that data set that actually hate chocolate ice cream that personal information about them potentially liking chocolate ice cream is still subject to the C C P. A.
03:13
Please keep an eye on second generation inferences.
03:15
This is also a major reason why the CCP what a was passed
03:20
because privacy advocates were worried about how profiles and other inferences were being used against consumers.
03:29
What is not in scope?
03:31
There are four general categories of personal information that on paper, our personal information because they actually don't apply to the c c. P. A.
03:40
As we go through them, it will become clearer
03:44
the first one.
03:45
Any public information that is available via government record is not within the scope of the c C P. A.
03:52
Now a big word of caution if that information you happen to have collected is available online and you collected it. But you're now using it for different reasons. In the c C. P. A. Will become re triggered.
04:03
Here's a quick example.
04:04
Personal phone numbers might be available in the Yellow Pages or white pages,
04:09
but those numbers are Onley available toe Look people up. If you ever need toe, get in contact with them.
04:15
They're not supposed to be used to directly market materials or services or goods to those people.
04:20
That is an instance where you could not use the exception of government records.
04:27
Items 23 and four here are actually gaining in importance, especially in the last several years.
04:33
De identified data.
04:35
That's when a data set has the personal identify IRS removed from it. So when you later in time, look at a specific data set, you can no longer figure out who's information originally belonged in this data set.
04:46
If you removed individuals last names and you only have first names,
04:51
well, first names are fairly common. You might not know who that data said applies to any more
04:59
aggregate consumer information is also not subject to the c c. P. A.
05:02
This is information of large groups of people where we can no longer identify the specific individuals who were originally collected under this data set.
05:11
That could be everybody who tuned into the news channel at 7 p.m.
05:15
Great. My personal information might be in that data set because I just happened to tune in at that time, but they're not going to know that I specifically tuned in.
05:23
They just know the sheer number of people who tuned in and maybe how long they were tuned in for
05:30
technical data.
05:31
This is an item not to sleep on at all.
05:34
This is information which, at its core, has nothing to do with people
05:39
things along the lines of patents, high level business reports or even mechanical or technical information
05:46
that's not subject to the C c. P. A.
05:47
I actually recently worked on a data breach where the Onley luckily files that were breached had to do with high level business reports.
05:55
Now, of course, the stakeholders were severely upset and scared, even.
05:59
But there was no need to worry ourselves about the CCP a because none of that information had to do with people. It was just financial data of certain products that were making money and certain products that weren't.
06:11
Now why is this all outside of scope?
06:15
It's because when I look at the data, I cannot tell who that personal information belongs to.
06:20
If you're ever debating whether or not a data set applies and is within the scope of the CCP A. Just ask yourself
06:28
if I'm looking on my screen right now. Do I know who this information belongs to?
06:31
That's generally the golden rule and should be able to get you out of trouble nine times out of 10.
06:38
Let's also take a quick note on who your company interacts with.
06:42
Consumers are absolutely subject to the C C. P. A.
06:45
We'll talk a little bit more about employees.
06:47
Amendments are actually going through as I have recorded these videos, but generally employees are not subject to the C C P. A.
06:55
They might be starting on January 1st of 2021 but
06:59
there are amendments to actually push that date further to 2022 2023.
07:03
We're actually only focusing on the individuals who consume your businesses, services or goods.
07:09
Individuals who are not interacting with your business, who generally are members of the public.
07:14
That's on a case by case basis. But let us ask ourselves, Why are you collecting that individuals information in the first place?
07:19
They might be considered a consumer. They might not again. That's a case by case basis,
07:27
a huge thing to note here.
07:28
In the previous lessons, we discussed the federal sector laws
07:30
there are carve outs under the C c p A, which means that the information that is governed by those federal sector laws is not subject to the CCP, a obligations
07:41
under the Gramm Leach Bliley Act. All information is covered under all the obligations and mechanisms that were established by the G l B A,
07:49
and therefore, the protections that people enjoy under the G l. B A. Do not extend to the c c. P a
07:57
financial information and by extension, health information or even clinical trial data.
08:01
Individuals cannot use the C c p A to restrict how information in those categories is used Because there is a federal carve out
08:11
long story short,
08:11
Sacramento cannot overrule the laws of Washington, D. C. And that is why there is a federal carve out.
08:18
We'll get to that Maurin The Coming Lessons
08:22
in summary. There are both legal and practical definitions of personal information.
08:26
Feel free to look up the law, but basically, if I can see on my screen who this information belongs to, then it applies to the c c. P. A.
08:35
Do not forget about the federal carve outs.
08:37
If you're looking at a health data or financial data, you need to be looking at the requirements of other laws, not the C C. P. A.
08:45
Always consider the categories of individuals your business collects information from,
08:48
with the main focus being on consumers.
08:52
I'll see you in the next video
Up Next