Personal Information Under CCPA/CPRA: A Guide for California Businesses
Updated, May 2025
The cornerstone of CCPA and CPRA compliance hinges on correctly understanding what constitutes “personal information.” California’s data privacy laws have a broad definition, making it essential for businesses to know what data points fall under these regulations. Let’s break down the key categories and recent updates that you need to be aware of.
Key Takeaways
1. Broad Definition of Personal Information
Under the CCPA and CPRA, personal information encompasses a wide range of data, including identifiers (e.g., names, IP addresses), commercial information, biometric data, internet activity, geolocation data, and inferences drawn from other personal information.
2. Introduction of Sensitive Personal Information (SPI)
The CPRA introduces a new category called Sensitive Personal Information, which includes data such as social security numbers, precise geolocation, racial or ethnic origin, and health information. Businesses must provide consumers with the ability to limit the use and disclosure of their sensitive personal information (SPI).3.
3. Enhanced Consumer Rights and Business Obligations
Consumers have the right to know what personal information is collected, request deletion, opt out of the sale or sharing of their data, and correct inaccurate information. Businesses are required to implement stricter security measures, provide clear notices, and honour consumer requests promptly.
What is Personal Information (PI) under CCPA/CPRA?
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), have a broad definition of personal information (PI). PI encompasses any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.
Here is a breakdown of the categories of PI under the CCPA/CPRA:
Identifiers | Job history, performance evaluations, etc. |
| Commercial information | Records of products or services bought or considered, purchase/consumption histories. |
| Biometric information | Precise location information, as GPS data from mobile devices, and location derived from IP address |
| Internet activity | Browsing history, search history, online interactions, etc. |
| Geolocation data | Precise location information, as GPS data from mobile devices, location derived from IP address |
| Sensory data | Audio, video, olfactory, or similar information |
| Professional or employment-related information | Profiles created from PI to reflect preferences, behaviours, or characteristics. |
| Education information | Information that is not publicly available and is maintained by an educational institution. |
| Inferences | Profiles created from PI to reflect preferences, behaviors, or characteristics. |
CPRA’s Sensitive Personal Information (SPI)
The CPRA introduced the concept of ‘Sensitive Personal Information’ (SPI). This subset of PI requires heightened safeguards and consumer rights due to its potentially intimate or revealing nature. SPI includes:
• Social security number, driver’s license number, passport number;
• Account logins and financial information (credit/debit card numbers, etc.);
• Precise geolocation;
• Racial and ethnic origin;
• Religious beliefs;
• Genetic data;
• Personal communications (content of mail, email, texts);
• Health information;
• Sex life or sexual orientation.
Businesses handling SPI must implement stricter security measures, provide clear notice of SPI collection and use, and offer consumers ways to exercise their SPI rights. The CPRA gives consumers the right to know what SPI a business collects about them and limits a business’s use and disclosure of their SPI to essential business purposes.
2024 Updates: Employee and B2B Data
The CPRA significantly altered the privacy landscape by removing the blanket exemptions for employee and business-to-business (B2B) data. While not fully covered, the CPRA now extends certain privacy rights to employees, job applicants, and contractors. Information such as emergency contact details and HR-related data can now fall under the scope of the CCPA/CPRA. This change gives the covered categories of individuals the right to know what personal information is collected and how it’s used, request correction of inaccurate information, delete certain personal information and request the limit of the use of sensitive personal information.
Additionally, information collected in business-to-business transactions, such as names, job titles, and contact details of business representatives, now enjoys limited protection. Businesses are obligated to provide notice at collection regarding the categories of information collected and the purposes of its use, and individuals have the right to opt out of the sale and sharing of their B2B information.
Certain exemptions remain in place for both employee and B2B data, particularly for information necessary to fulfil the employment or business relationship.
What Your Business Needs To Do
Thorough data mapping
Identify all types of personal information you collect, store, and process. Pay special attention to the sources of PI (customers, employees, business contacts, etc.), types of PI (identifiers, commercial information, etc.), and whether you collect any SPI.
Classify data
Categorise all PIs according to CCPA/CPRA definitions. Designate any SPI, ensuring it receives heightened protection. Mark any employee or B2B data now falling under partial regulation.
Update policies and procedures
Ensure your privacy policy and data handling practices reflect correct classifications, consumer rights, and SPI safeguards.
Secure SPI
Implement stricter security measures for sensitive personal information. Consider encryption, access controls, and incident response plans.
Respond to requests
Prepare to respond to consumer requests with extended privacy rights for employee and B2B data, including access, deletion, and limiting SPI use.
Staying Ahead
This blog post has outlined the various categories of PI and the special protections afforded to sensitive personal information (SPI). However, applying these definitions to your specific business practices can be challenging.
Partnering with privacy professionals like ourselves at GDPRLocal can provide tailored insights and strategies to help you:
• Accurately map and classify your business’s unique data flows;
• Implement safeguards that specifically address SPO handling.
• Develop clear privacy notices and processes that meet legal requirements:
• Build a strong privacy program that minimises compliance risks and fosters consumer trust.
Frequently Asked Questions (FAQs)
1. What constitutes personal information under the CCPA/CPRA?
Personal information includes any data that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household. This encompasses names, addresses, email addresses, social security numbers, IP addresses, browsing history, and more.
2. How does the CPRA define Sensitive Personal Information?
Sensitive Personal Information under the CPRA includes data such as government-issued identifiers (e.g., Social Security numbers), financial account information, precise geolocation data, racial or ethnic origin, religious beliefs, and health information. Consumers have the right to limit the use and disclosure of their SPI.
3. What rights do consumers have regarding their personal information?
Consumers can request to know what personal information is collected about them, request deletion of their data, opt out of the sale or sharing of their information, and correct inaccurate data. Businesses must provide mechanisms to facilitate these requests.
4. What steps should businesses take to comply with the CCPA/CPRA?
Businesses should:
• Conduct data mapping to understand what personal information is collected and processed.
• Update privacy policies to reflect consumer rights and the use of data.
• Implement processes to handle consumer requests regarding their personal information.
• Ensure contracts with third parties include provisions for data protection.
• Train employees on data privacy practices and consumer rights.