What Is Personal Information Under CCPA and CPRA?
May 9, 2025
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), are landmark privacy laws in the United States, granting California residents unprecedented control over their personal information. But what exactly is personal information under these regulations? Understanding this is critical for both consumers seeking to protect their data and businesses striving to comply with these laws. This article explores the definition of personal information, its subcategories like sensitive personal information, and key considerations for residents and businesses.
Understanding Personal Information Under CCPA
The CCPA, effective January 1, 2020, defines personal information broadly in California Civil Code § 1798.140(o)(1) as:
"Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This includes, but is not limited to:
Identifiers: Name, email address, postal address, phone number, IP address, or Social Security number.
Biometric information: Fingerprints, facial recognition data, or voice recordings.
Geolocation data: Precise location information from devices.
Inferences: Data derived from other information, such as consumer preferences or behavioral profiles.
Household data: Information linked to a household, like shared device usage.
The CCPA’s expansive definition ensures that nearly any data tied to a consumer—a California resident—falls under its protection. For example, even anonymized data that could be re-identified may qualify as personal information.
Key Consumer Rights Under CCPA
California residents enjoy robust data subject rights concerning their personal information:
Right to Know: Request details about what personal information a business collects and how it’s used or shared.
Right to Delete: Demand deletion of personal information, subject to certain exceptions (e.g., legal obligations).
Right to Opt-Out: Prevent businesses from “selling” their personal information to third parties, a term that includes data sharing for monetary or other benefits.
How CPRA Expands the Definition of Personal Information
The CPRA, effective January 1, 2023, amends the CCPA and introduces sensitive personal information as a distinct category. According to California Civil Code § 1798.140(ae), sensitive personal information includes:
"Personal information that reveals a consumer’s Social Security number, driver’s license, financial account information, precise geolocation, racial or ethnic origins, religious beliefs, union membership, genetic data, biometric information, health, or sexual orientation."
The CPRA also regulates personal information used in cross-context behavioral advertising, where data is shared across websites for targeted ads. This reflects the law’s focus on modern data practices like automated decision-making.
New CPRA Obligations
The CPRA introduces principles like data minimization, requiring businesses to collect only what’s necessary, and retention period limits to avoid indefinite storage of personal information. Consumers also gain a right to correct inaccurate personal information, enhancing their control.
What This Means for California Residents
For consumers, understanding personal information under the CCPA and CPRA empowers you to protect your privacy. Here’s what you should know:
Broad Scope of Protection: Your personal information includes not just obvious identifiers like your name but also geolocation data, biometric information, and even inferences about your preferences.
Exercising Your Rights: You can submit requests to businesses to access, delete, or opt out of the sale of your personal information. Look for a “Do Not Sell My Personal Information” link on websites, as mandated by California Civil Code § 1798.135.
Sensitive Data Awareness: Be cautious about sharing sensitive personal information, like health or financial data, as CPRA imposes stricter rules on its handling.
Data Breach Risks: If a business mishandles your personal information, leading to a data breach, you may be entitled to compensation under CCPA’s private right of action.
To take action, check businesses’ privacy notices for details on data collection and submit requests to exercise your data subject rights. Staying informed about your personal information is the first step to safeguarding it.
What Businesses Need to Know
For businesses, compliance with CCPA and CPRA is non-negotiable, especially for those handling personal information of California residents. Non-compliance can lead to fines of up to $7,500 per intentional violation or lawsuits in case of data breaches. Here’s how to stay compliant:
Understand Covered Data: Recognize that personal information includes identifiers, biometric information, geolocation data, and even household data. Review your data collection practices to identify all relevant data.
Handle Sensitive Personal Information Carefully: CPRA’s category of sensitive personal information requires additional safeguards, such as limiting its use to what’s necessary and offering opt-out options for cross-context behavioral advertising.
Implement Data Subject Rights Processes: Set up systems to handle consumer requests for access, deletion, or opting out. Verify identities to prevent unauthorized access to personal information.
Work with Service Providers: Ensure contracts with service providers (e.g., cloud vendors) restrict their use of personal information to business purposes only, as required by California Civil Code § 1798.100(d).
Adopt Data Minimization: CPRA emphasizes collecting only essential personal information and retaining it for limited retention periods. Audit your data practices to align with this principle.
Update Privacy Notices: Clearly disclose the categories of personal information collected, purposes, and any data sharing in your privacy notice, as mandated by CCPA.
Additionally, businesses must stay vigilant about de-identified data, ensuring it cannot be re-linked to individuals, as this removes it from CCPA/CPRA’s scope.
Why This Matters
The CCPA and CPRA redefine how personal information is handled, balancing consumer empowerment with business accountability. For California residents, these laws offer tools to control personal information, from identifiers to sensitive personal information. For businesses, compliance is critical to avoid penalties and maintain consumer trust.
By understanding what constitutes personal information under CCPA and CPRA, both consumers and businesses can navigate the evolving privacy landscape. Whether you’re a resident exercising your data subject rights or a business updating your privacy notice, staying informed about personal information is essential in today’s data-driven world.
