00:08
Adam Stofsky
Shannon, what is the definition of data under international privacy laws? What is this concept of personal information? What does it include? What does it not include?
00:22
Shannon Yavorsky
That's really interesting topic, because it's very broad, and I think a lot of people think of personal data, and they're like, oh, yeah, my name and my address. But actually it's any data that can be used directly or indirectly to identify you. So even things that you don't necessarily know, like your IP address. I don't know what my IP address is. I think I know where to find it, but I don't know what it is, certainly, or device ID. Another point that I don't know what it is, but I think I know where to find it on my phone.
00:55
Adam Stofsky
You don't have your device ID memorized?
00:57
Shannon Yavorsky
Not yet. Not yet. Those are data points that are considered personal information. So companies that are collecting that data, so apps, maybe on your phone that are using your device ID to help facilitate targeted advertising, they're collecting personal information. So the concept is incredibly broad, and a lot of the words are used interchangeably. Personal data and personal information, different laws use different defined terms, but it's essentially the same thing. So data that can be used directly or indirectly to identify you.
01:32
Adam Stofsky
Hang on, before you go on, Shannon, just to clarify, just so I'm sure I know what this means. So it means any information that actually identifies a person that literally is like your name or maybe your address or information that could identify you if you did jump through some minor hoops that's like your IP address, things like that. Right?
01:55
Shannon Yavorsky
Yeah, that's exactly right. And certain jurisdictions also include inferences. So if I'm a company and I see that you, Adam Stofsky, have bought some guy likes this guy likes running shoes, I'm going to send him ads for hiking boots because that's a related sport. So I'm making inferences about you. And that's also personal information. So it's very broad, and maybe because you bought hiking boots, I'm going to send you some information about energy bars. I'm going to send you ads for energy bars because I know that I think I've made an inference that you're a hiker and you might need an energy bar.
02:34
Adam Stofsky
Right. So I have to treat that browsing history or purchase history as personal information under these privacy laws?
02:42
Shannon Yavorsky
That's right. To the extent that it's associated with you, like an ID that is associated with you, that is personal information.
02:49
Adam Stofsky
Okay, you were going to talk about some nuances, so get into it.
02:52
Shannon Yavorsky
Sorry about just there are a few nuances that I think are important to mention. One is that in California also includes household data as part of personal information, which is a really interesting you know, we think it's things like your water meter data that could relate to anyone within the household. So that's a pretty interesting nuance. And then I think I'd be remiss in not mentioning that there's a definition for sensitive personal information, which is a separate category of more sensitive information. So data about race or ethnicity is considered sensitive personal information under a number of the state privacy laws, but also under the GDPR. So also under Europe's privacy law, which defines it as special category data. And there are different obligations that attach to a company's collection, use, and sharing of this other category of more sensitive personal information.
03:54
Shannon Yavorsky
Which makes sense, right? Like, if you're disclosing that information to a company, you want to make sure that there are enhanced obligations that apply to, for example, their sharing of that data with third parties.
04:06
Adam Stofsky
What are some other examples of that kind of sensitive data? You mentioned race. What else?
04:11
Shannon Yavorsky
Ethnicity. Sexual orientation is another one. It can be health information, certain financial information, precise geolocation data. That's one that's particularly sensitive, especially in our post dobbs world. The places that your phone pings when you're at a particular location can be incredibly sensitive personal information. It can allow a company to infer what religion you are or where you're going and who you're seeing. So that's really sensitive personal information, and you've probably seen on your phone in certain apps that it'll ask you specifically, can we use your precise location data? And you have to consent to it or not?
05:00
Adam Stofsky
So these laws apply to data that can identify people. What about things like trade secrets or company records? How does the law relate to that kind of information?
05:16
Shannon Yavorsky
So, privacy law doesn't really cover non personal information, and there's special separate trade secret law and confidential information law that covers that bucket of data. But if it doesn't include personal information, then it's not covered by the privacy laws. So if you have a set of really sensitive business information but there are no names or addresses or IP addresses in that data set, the privacy laws don't apply. Similarly, if you have a personal information set that's been anonymized or aggregated, so, for example, you've taken a bunch of personal information and you're summarizing it, and you're like, out of 100 people, there's a range of people who like sneakers. 90% of people like sneakers. You've got aggregate personal information. It no longer constitutes personal information that's.
06:13
Adam Stofsky
Subject to the law because specific people.
06:17
Shannon Yavorsky
Because it can't identify an individual. That's exactly right.
06:21
Adam Stofsky
All right. Super interesting. Thank you, Shannon, for that definition of what is personal information under data privacy law. Thank you.