Probabilistic Identifiers in CCPA

The CCPA, the California Privacy Protection Act, was passed last year and goes into effect at the beginning of next year. And just as the GDPR impacts businesses outside Europe, the CCPA will impact businesses outside California.

The law specifically mentions probabilistic identifiers.

"Probabilistic identifier" means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.

So anything that gives you better than a 50 percent chance of guessing personal data fields [1]. That could be really broad. For example, the fact that you're reading this blog post makes it "more probable than not" that you have a college degree, and education is one of the categories mentioned in the law.

Personal Information

What are these enumerated categories of personal information mentioned above? They start out specific:

Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, ...

But then, they get vaguer:

"purchasing or consuming histories or tendencies ... interaction with an Internet Web site ... professional or employment-related information."

And in addition to the vague aspects, categories are "any categories ... similar to" these.

Significance

What is the significance of a probabilistic identifier? That's hard to say. A large part of the CCPA is devoted to definitions, and some of these definitions don't seem to be used. Maybe this is a consequence of the bill being rushed to a vote in order to avoid a ballot initiative. Maybe the definitions were included in case they're needed in a future amended version of the law.

The CCPA seems to give probabilistic identifiers the same status as deterministic identifiers:

"Unique identifier" or "Unique personal identifier" means ... or probabilistic identifiers that can be used to identify a particular consumer or device.

That seems odd. Data that can give you a "more probable than not" guess at someone's "purchasing or consuming histories" hardly seems like a unique identifier.

Devices

It's interesting that the CCPA says "a particular consumer or device." That would seem to include browser fingerprinting. That could be a big deal. Identifying devices, but not directly people, is a major industry.

Related Posts

[1] Nothing in this blog post is legal advice. I'm not a lawyer and I don't give legal advice. I enjoy working with lawyers because the division of labor is clear: they do law and I do math.