Theodore F. Claypoole of Womble Bond Dickinson writes:
Definitions are important.
How we define words sets the context for how we regulate them. In the U.S., the definitions of legally defended private information are changing, affecting the entire scope of information protection. The change in definitions reflects a desire to protect more of the data that describes how we live.
The terms defined in this first wave of data breach notice laws were based on lists. Each law listed a set of information categories likely to facilitate the theft of a citizen’s identity. The data breach notice law definitions of personally identifiable data tended to match a piece of identifying information – name or address – with a piece of data that would allow a criminal to access accounts. This last category included account numbers, credit card numbers, social security numbers, driver’s license numbers, and even birth dates and mother’s maiden name. If it wasn’t on the list, it did not trigger the statute. Different states added or subtracted pieces of information from the standard list, but the concept of listed trigger data remained the same.
The CCPA shattered this concept.
Read more on National Law Review.