When it comes to the California Consumer Privacy Act (CCPA), what constitutes “personal information” is one of its most important concepts. All of businesses’ obligations and consumers’ rights under the data privacy law center around the collection and use of consumers’ personal information, so understanding what the term means is one of the first steps toward CCPA compliance.

Personal Information Defined

The CCPA’s definition of personal information is incredibly broad. Arguably, it is even broader than the General Data Protection Regulation’s (GDPR) definition of “personal data.” Using the most recent statutory language, personal information is:

Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

It’s a very inclusive definition that is designed to catch any and every kind of information that is connected to an individual or household. Luckily, the CCPA also has a helpful list of examples. These examples include:

• Identifiers – real names, email addresses, account names, IP addresses, Social Security numbers, etc.
• Characteristics of protected classifications – Any classification protected by federal or California law, such as race, gender, sexual orientation, or age
• Commercial information – Records of personal property, products, or services purchased or considered, and other such consumer histories
• Biometric information – Fingerprints, faceprints, voiceprints, retina scans, etc.
• Internet activity – Browsing history and search history, along with information related to a consumer’s interactions with a web page, application, or advertisement
• Geolocation data – Where the consumer is or has been, often obtained by IP address or smartphone data
• Sensory information - Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment-related information – Past employers, type of work, etc.
• Education information – Information that is not publicly available personally identifiable information, as defined in the Family Educational Rights and Privacy Act
• Consumer Profiles – Inferences drawn from any personal information used to create a profile of a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Bearing in mind there are potentially other categories of personal information not included in this list, it should at least give you a sense of the wide variety of data that falls under the CCPA.

What Is Not Personal Information?

With so much data being defined as personal information by the CCPA, it is helpful to look at what the law specifically says is not personal information. There are two main categories of exemptions: publicly available information and deidentified or aggregate consumer information.

Publicly available information originally only included information lawfully made available from federal, state, or local government records. The California Privacy Rights Act (CPRA) significantly expanded this to include two more types of publicly available information. The first is “lawfully obtained, truthful information that is a matter of public concern”—an exemption that covers information collected for journalistic purposes. The second is “information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media.” This is important because it covers public consumer data collected from social networks.

Deidentified or aggregate consumer information is data that cannot be linked to a particular consumer or household. Examples include a consumer profile from which all identifiers have been removed, or website usage statistics, such as total homepage visits, that can’t be linked to any identified individual.

Exemptions for Other Laws

In order to avoid conflicting regulatory schemes, the CCPA makes exemptions for personal information that is already covered by other state and federal laws. The three most important are:

• The Health Insurance Portability and Accountability Act (HIPAA) - HIPAA protects the confidentiality of medical information.
• The Gramm-Leach-Bliley Act (GLBA) - A federal law that applies to financial information and other consumer data held by banks and other financial institutions.
• The Fair Credit Reporting Act (FCRA) - The FCRA covers the collection and sharing of data used for credit reports and other background checks.

To the extent that personal information is already regulated by these laws and businesses are in compliance with them, the CCPA does not apply.

Sensitive Personal Information

The CPRA also added a new category of personal information: sensitive personal information. This accompanies a new consumer right granted by the CPRA, the right to limit use and disclosure of sensitive personal information. It includes:

• A consumer’s social security, driver’s license, state identification card, or passport number
• A consumer’s account log-in, financial account, credit card, or debit card number in combination with any required security or access code, password, or credentials allowing access to an account
• A consumer’s precise geolocation
• A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
• The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
• A consumer’s genetic data
• The processing of biometric information for the purpose of uniquely identifying a consumer
• Personal information collected and analyzed concerning a consumer’s health
• Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation

The new privacy right means that, with regard to sensitive personal information, consumers can request business to limit its use and disclosure to what is “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.” In order to comply with such a request, any business that collects or uses sensitive personal information will need to track it separately in their data map.

‍