Understanding Personal Information Under CCPA/CPRA: A Guide for California Businesses
The cornerstone of CCPA and CPRA compliance hinges on correctly understanding what constitutes “personal information.” California’s data privacy laws have a broad definition, making it essential for businesses to know what data points fall under these regulations. Let’s break down the key categories and recent updates that you need to be aware of.
What is Personal Information (PI) under CCPA/CPRA?
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), have a broad definition of personal information (PI). PI encompasses any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.
Here is a breakdown of the categories of PI under the CCPA/CPRA:
Identifiers | Data points that can directly or indirectly identify an individual, such as name, address, email address, social security number, driver’s license number, passport number, customer number, IP address, cookies, device IDs, etc. |
| Commercial information | Records of products or services bought or considered, purchase/consumption histories. |
| Biometric information | Physiological or behavioral characteristics used for identification such as fingerprints, facial scans, voiceprints, and other biological data. |
| Internet activity | Browsing history, search history, online interactions, etc. |
| Geolocation data | Precise location information, as GPS data from mobile devices, location derived from IP address |
| Sensory data | Audio, video, olfactory, or similar information |
| Professional or employment-related information | Job history, performance evaluations etc. |
| Education information | Information that is not publicly available and is maintained by an educational institution. |
| Inferences | Profiles created from PI to reflect preferences, behaviors, or characteristics. |
CPRA’s Sensitive Personal Information (SPI)
The CPRA introduced the concept of ‘Sensitive Personal Information’ (SPI). This subset of PI requires heightened safeguards and consumer rights due to its potentially intimate or revealing nature. SPI includes:
– Social security number, driver’s license number, passport number;
– Account logins and financial information (credit/debit card numbers, etc.);
– Precise geolocation;
– Racial and ethnic origin;
– Religious beliefs;
– Genetic data;
– Personal communications (content of mail, email, texts);
– Health information;
– Sex life or sexual orientation.
Businesses handling SPI must implement stricter security measures, provide clear notice of SPI collection and use, and offer consumers ways to exercise their SPI rights. The CPRA gives consumers the right to know what SPI a business collects about them and limits a business’s use and disclosure of their SPI to essential business purposes.
2024 Updates: Employee and B2B Data
The CPRA significantly altered the privacy landscape by removing the blanket exemptions for employee and business-to-business (B2B) data. While not fully covered, the CPRA now extends certain privacy rights to employees, job applicants, and contractors. Information like emergency contact details and HR-related data can now fall under the CCPA/CPRA scope. This change gives the covered categories of individuals the right to know what personal information is collected and how it’s used, request correction of inaccurate information, delete certain personal information and request the limit of the use of sensitive personal information.
In addition to this, information collected in business-to-business transactions, such as names, job titles, and contact information of business representatives, now enjoys limited protection. Businesses are obligated to provide notice at collection regarding the categories of information collected and the purposes of its use, and individuals have the right to opt out of the sale and sharing of their B2B information.
Certain exemptions remain in place for both employee and B2B data, particularly for information necessary to fulfill the employment or business relationship.
What Your Business Needs To Do
Thorough data mapping
Identify all types of personal information you collect, store, and process. Pay special attention to the sources of PI (customers, employees, business contacts, etc.), types of PI (identifiers, commercial information, etc.), and whether you collect any SPI.
Classify data
Categorize all PI according to CCPA/CPRA definitions. Designate any SPI, ensuring it receives heightened protection. Mark any employee or B2B data now falling under partial regulation.
Update policies and procedures
Ensure your privacy policy and data handling practices reflect correct classifications, consumer rights, and SPI safeguards
Secure SPI
Implement stricter security measures for sensitive personal information. Consider encryption, access controls, and incident response plans.
Respond to requests
Prepare to respond to consumer requests with the extended privacy rights to employee and B2B data related to access, deletion, and limiting SPI use.
Staying Ahead
This blog post has outlined the various categories of PI and the special protections afforded to sensitive personal information (SPI). However, applying these definitions to your specific business practices can be challenging.
Partnering with privacy professionals like ourselves at GDPRLocal can provide tailored insights and strategies to help you:
– Accurately map and classify your business’s unique data flows;
– Implement safeguards that specifically address SPO handling;
– Develop clear privacy notices and processes that meet legal requirements:
– Build a strong privacy program that minimizes compliance risks and fosters consumer trust.