How do the CPRA, CPA and VCDPA deal with publicly available information? | Husch Blackwell LLP

[co author: Stacey Weber]

Key Point: The ACRP, CPA, and VCDPA definitions of “publicly available information” are broader than the CCPA definition, expanding the types of personal information businesses can process outside limits of these laws.

To celebrate Data Privacy Day, we’re launching this ten-part weekly series where we’ll compare key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act. (VCDPA). As the effective dates of these laws approach, we will explore the nuances and important differences on topics such as the processing of biometric and sensitive information, targeted advertising, consumer rights, and data processing agreements. data. If you haven’t already subscribed to our blog, consider doing so to stay up to date.

Our first topic in this ten-part series is the handling of publicly available information. Although the California Consumer Privacy Act (CCPA) contains an exclusion for “publicly available information” from its definition of personal information, the exclusion is limited to information made available by federal, state, or local government records. The ACPL, CPA, and VCDPA extend this exception to include information that a business has reasonable grounds to believe a consumer has lawfully made available to the general public.

Below is a comparison of “publicly available information” as defined in each of the three laws.

California (CCPA and CPRA)

Under the CCPA, publicly available information is treated as an exception to the definition of personal information. The CCPA narrowly defines publicly available information as “information lawfully made available from federal, state, or local government records.” CPRA expands this exception by adding “information that a business has reasonable grounds to believe is lawfully made available to the public by the consumer or from widely disseminated media, or by the consumer”. The CPRA definition also includes “information made available by a person to whom the consumer has disclosed the information if the consumer has not limited the information to a specific audience.”

For purposes of comparison, the CPRA-specific additions are underlined:

“Personal Information” does not include publicly available information or lawfully obtained, truthful information that is in the public interest. For purposes of this paragraph, “publicly available” means: information lawfully made available from federal, state, or local government records, or information that a business has reasonable grounds to believe is lawfully made available to the general public by the consumer or from widely available media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not limited the information to a specific audience. “Publicly Available” does not mean biometric information collected by a business about a consumer without the knowledge of the consumer.

In the initial draft of CPRA’s ballot measure, comment 46 explained this change as “[ing] First Amendment issues that have been raised. This criticism was also raised during the CACP’s rulemaking process, as documented in the Appendices to the CACP’s Final Statement of Reasons.

The practical consequence of this change could be significant for certain types of businesses. For example, personal information that a consumer makes publicly available on social media platforms could fall under the exception. This information will not be subject to CPRA’s consumer rights, including the right to erasure and the right to refuse sale. It should also be noted that the application of this exception is based on whether the business (as compared to the consumer) “has a reasonable basis to believe [the personal information] is lawfully made available to the public by the consumer”.

Finally, while the broadening to exclude information that is reasonably believed to have been made public finds echo in the CPA and VCDPA, California remains unique in stating that “‘publicly available’ does not mean that biometric information collected by a company about a consumer without the knowledge of the consumer.” In our next article, we will analyze how each of the laws deals with biometric information.

Colorado (CPA)

Like the CPRA, the CPA treats publicly available information as an exception to personal data. Under the CPA, publicly available information is “information lawfully made available from federal, state, or local government records and information that a controller has reasonable grounds to believe the consumer has lawfully made available to the general public”.

Virginia (VCDPA)

The VCDPA also excludes publicly available information in its definition of personal data and separately defines publicly available information as: “Information lawfully made available through federal, state, or local government records, or information that a company has reasonable grounds to believe is lawfully made available to the general public through widely available media, by the consumer or by a person to whom the consumer has disclosed the information, unless the consumer has limited information to a specific audience.

Consequence of variations

All three statutes contain a broader understanding of publicly available information than currently exists under the CCPA. The broader understanding includes information that a business or controller has reasonable grounds to believe has been made available to the general public at least by the consumer and, in the case of CPRA and the VCDPA, by the media or a member of the consumer’s unlimited audience. The CPRA contains additional distinctions, in particular concerning the collection of biometric data without the knowledge of the consumer. Overall, compared to the CCPA, the three laws identify additional types of information outside of law enforcement that can significantly benefit businesses. For example, under these definitions, information posted to a public, i.e., unrestricted, profile may be considered publicly available information not subject to these laws.

[View source.]