Basic Identifying Information: name, address, phone number, IP address, email address, or Social Security numbers.
Non-identifying Data: behavioral, transactional data, buyer personas and insights drawn from non-identifying data.
Demographic Data: race, gender, sexual orientation, age, biometric, geolocation, psychographic.
Renting, transfer, trade, or any other transaction involving private consumer information.
Transactions don't need to involve money. Sharing consumer data with vendors without a service-provider relationship or sharing data with partners for co-marketing opportunities also could be considered a form of transaction.
The CCPA requires that any non first-party business receiving and using consumer information specifically for a company’s business purposes qualifies as a third party.
Any for-profit entity that processes information on behalf of a for-profit business is considered a vendor under the CCPA. A vendor that has a contract with a business that limits how they use personal information is considered a service provider under the CCPA.
The collection, possession, or other handling of data counts as “processing" under the CCPA. Certain data are excluded from CCPA processing regulations, such as personal data from credit reporting agencies. However, all parties involved are liable if they fail to comply.
“Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” This includes anonymized data used for generating insights and research.
The CCPA considers households and individual consumers equally in terms of data identification. Businesses that use data to eliminate a possible list of consumer identities down to a single household are considered the same as being able to identify the individual.