7 min read

Writen by Sibel Amet

Posted on: May 14, 2024

Understanding Personal Information Under CCPA/CPRA: A Guide for California Businesses

The cornerstone of CCPA and CPRA compliance hinges on correctly understanding what constitutes “personal information.” California’s data privacy laws have a broad definition, making it essential for businesses to know what data points fall under these regulations. Let’s break down the key categories and recent updates that you need to be aware of.

The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), have a broad definition of personal information (PI).  PI encompasses any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.

Here is a breakdown of the categories of PI under the CCPA/CPRA:

Data points that can directly or indirectly identify an individual, such as name, address, email address, social security number, driver’s license number, passport number, customer number, IP address, cookies, device IDs, etc.
Commercial informationRecords of products or services bought or considered, purchase/consumption histories.
Biometric informationPhysiological or behavioral characteristics used for identification such as fingerprints, facial scans, voiceprints, and other biological data.
Internet activityBrowsing history, search history, online interactions, etc.
Geolocation dataPrecise location information, as GPS data from mobile devices, location derived from IP address
Sensory dataAudio, video, olfactory, or similar information
Professional or employment-related information
Job history, performance evaluations etc.
Education informationInformation that is not publicly available and is maintained by an educational institution.
InferencesProfiles created from PI to reflect preferences, behaviors, or characteristics.

The CPRA introduced the concept of ‘Sensitive Personal Information’ (SPI). This subset of PI requires heightened safeguards and consumer rights due to its potentially intimate or revealing nature. SPI includes:

– Social security number, driver’s license number, passport number;
– Account logins and financial information (credit/debit card numbers, etc.);
– Precise geolocation;
– Racial and ethnic origin;
– Religious beliefs;
– Genetic data;
– Personal communications (content of mail, email, texts);
– Health information;
– Sex life or sexual orientation.

Businesses handling SPI must implement stricter security measures, provide clear notice of SPI collection and use, and offer consumers ways to exercise their SPI rights. The CPRA gives consumers the right to know what SPI a business collects about them and limits a business’s use and disclosure of their SPI to essential business purposes.

The CPRA significantly altered the privacy landscape by removing the blanket exemptions for employee and business-to-business (B2B) data. While not fully covered, the  CPRA now extends certain privacy rights to employees, job applicants, and contractors. Information like emergency contact details and HR-related data can now fall under the CCPA/CPRA scope. This change gives the covered categories of individuals the right to know what personal information is collected and how it’s used, request correction of inaccurate information, delete certain personal information and request the limit of the use of sensitive personal information. 

In addition to this, information collected in business-to-business transactions, such as names, job titles, and contact information of business representatives, now enjoys limited protection. Businesses are obligated to provide notice at collection regarding the categories of information collected and the purposes of its use, and individuals have the right to opt out of the sale and sharing of their B2B information. 

Certain exemptions remain in place for both employee and B2B data, particularly for information necessary to fulfill the employment or business relationship.

Thorough data mapping

Identify all types of personal information you collect, store, and process. Pay special attention to the sources of PI (customers, employees, business contacts, etc.), types of PI (identifiers, commercial information, etc.), and whether you collect any SPI.

Classify data

Categorize all PI according to CCPA/CPRA definitions. Designate any SPI, ensuring it receives heightened protection. Mark any employee or B2B data now falling under partial regulation.

Update policies and procedures

Ensure your privacy policy and data handling practices reflect correct classifications, consumer rights, and SPI safeguards

Secure SPI

Implement stricter security measures for sensitive personal information. Consider encryption, access controls, and incident response plans.

Respond to requests

Prepare to respond to consumer requests with the extended privacy rights to employee and B2B data related to access, deletion, and limiting SPI use.

This blog post has outlined the various categories of PI and the special protections afforded to sensitive personal information (SPI). However, applying these definitions to your specific business practices can be challenging.

Partnering with privacy professionals like ourselves at GDPRLocal can provide tailored insights and strategies to help you:
– Accurately map and classify your business’s unique data flows;
– Implement safeguards that specifically address SPO handling;
– Develop clear privacy notices and processes that meet legal requirements:
– Build a strong privacy program that minimizes compliance risks and fosters consumer trust.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

AI Act: Fundamental Rights Impact Assessments (FRIA) – Who, When, Why, and How to Ensure Ethical AI Deployment

The European Union (EU) has positioned itself as a leader in shaping the responsible development an

How the Privacy Act Protects Personal Information in Australia

 As cyber threats loom larger and data breaches become more common, the significance of strong

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy