How do the CCPA and the CPRA define Personal Information?

June 10, 2022 - Jeff Edwards

The passing of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) ushered in a new era of data privacy regulation over for-profit businesses. As other states enact similarly comprehensive legislation, not only are digital privacy best practices becoming the law, but transparency and privacy are increasingly expected by consumers. Consumers have become more aware of how their personal information is used in ever-evolving ways, and now they have more options to control it.

In order to comply with these evolving regulations, it's important to understand how these laws define personal data, as well as the regulations on its use. In this article, we'll cover what qualifies as personal information under the CCPA and the CPRA, as well as the legal requirements regarding the processing, storing, collecting, and selling of this data.

What is defined as personal information under the CCPA?

The CCPA defines personal information as: “information that identifies, relates to, or could reasonably be linked with you or your household.” This definition is purposely broad. The categories of personal data protected under this legislation are direct personal data, indirect personal data, biometric and health data, sensitive personal information, and internet activity.

A non-exhaustive list of examples includes:

  • name
  • address
  • social security number
  • religious beliefs
  • political beliefs
  • fingerprints
  • genetic data
  • email address
  • products purchased
  • internet browsing history
  • IP address
  • unique cookie ID
  • geolocation data

What are the requirements for processing personal information?

Under the CCPA, businesses are usually not required to obtain prior consent or have any other legal purpose for collecting personal data (as is required under the GDPR). The CCPA instead entitles individuals to access what personal information businesses keep on them and how that information is used, as well as providing them with actions they can take to dictate the future uses of that data.  

Right to Know

California citizens have the right to know what types of personal information a business collects about them and how it is used and shared. The CCPA requires businesses to provide this information in the form of a “notice at collection.”

Right to Opt-Out

California citizens have the right to request that businesses stop selling or sharing their information. Businesses that sell personal information must provide a way for customers to request to opt-out of their information being sold via an easily found “Do Not Sell My Personal Information” button or link. This must be a simple opt-out option—the link must not prompt customers to create an account or verify their identity beyond basic questions that would be used to identify which personal info is connected to that individual. After an individual opts-out, businesses cannot contact them asking them to opt-in again for at least 12 months.

Right to Delete

California citizens have the right to have their personal information deleted. Businesses must designate at least two methods of submitting a request to delete personal information (for example, an email address, a web form, or a toll-free number to call).

Right to Non-Discrimination

Businesses cannot discriminate against individuals for exercising their rights under the CCPA. Businesses cannot ask an individual to waive these rights, or deny services for waiving these rights (unless the information is necessary for the business transaction). Further, businesses cannot offer special deals or promotions in exchange for waiving CCPA rights. 

What is “sensitive” personal information, as defined by the CPRA?

With the passage of the ballot measure approving the CPRA, which takes effect January 1, 2023, the CCPA has been expanded upon and amended in certain areas. The CPRA upholds the CCPA’s definition of personal information, but provides a new special category of personal information, called sensitive information, which includes:

  • Social security number
  • State-issued ID number
  • Passport number
  • Account login along with password or required credentials
  • Racial or ethnic origin
  • Sexual orientation
  • Genetic information
  • Biometrics that are used for the purpose of identifying a unique person
  • Personal mail, email, and text message contents when the recipient is not the business accessing it
  • Precise geo-location data

The CPRA gives Californians the right to know about how their sensitive personal information is collected, used, shared, and retained, but the onus is still on the individual to request limitations on that use.

What exceptions exist?

There are a few categories of information that do not qualify as personal information under the CCPA and CPRA, and are thus not subject to the regulation.

Publicly Available Information

Public information such as that found in federal, state, or local government records is not considered personal information.

Aggregated Information

When an individual’s data is included as part of a large group and the individual consumer identities have been removed, it is not personal information.

Deidentified Information

Information that has been properly deidentified is not considered personal information. To meet the CCPA’s narrow definition of deidentified, information “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular customer.” Further, the business must have processes and technology disabling reidentification of the data or inadvertent release of the de-identified data.  

Is personal information under the CCPA the same as personal data under the GDPR?

Personal information is slightly different under the CCPA than under the GDPR. 

Under both the GDPR and CCPA, the term “personal data” means any information that can directly or indirectly identify an individual person. The GDPR, and now (with the addition of the CPRA) the CCPA, both distinguish a “sensitive personal data” category.

However, personal information under the GDPR includes publicly available information, whereas the CCPA does not include publicly available information. 

Personal information under the GDPR is limited to information that is exclusive to the identification of one specific individual, whereas the CCPA broadens the definition to include a household

 

Jeff Edwards

Jeff Edwards

Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now