Examples of Personal Information Under the CCPA

Privacy laws like California Consumer Privacy Act (CCPA) protect and regulate the use of “personal information,” but what does that term mean? It is perhaps the most widely misunderstood concept in the CCPA, because it is much broader than most people think. Of course it includes identifiers like names, email addresses, Social Security Numbers, etc., but there is a lot more data that is considered to be “personal information” under the CCPA.

Because understanding what is and isn’t personal information is so fundamental to privacy compliance, we’ll go over the official definition and give real-world examples.

“Personal Information” Defined

Here is the official definition of personal information, as given by the CCPA:

“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Personal information, therefore, is much more than simple identifiers. It includes any information that relates to a particular person (or, as other laws such as the GDPR put it, an “identified or identifiable person natural person”). 

Information that is deidentified, i.e., that cannot be reasonably linked to a particular person, is not considered personal information. However, that exception may become more difficult to rely on as technology gets better and better at connecting otherwise anonymous data (such as web browsing activity) to a particular consumer. For this reason, amendments added by the California Privacy Rights Act (CPRA) require businesses that use deidentified information to publicly commit to keeping such data in deidentified form and contractually obligate any recipients of the data to do the same.

Examples of CCPA Personal Information

Here are some examples of CCPA personal information, broken down by category.

Personal Identifiers

These are types of data that, by their very nature, relate to a particular person or household.

• Names

• Mailing addresses

• Email addresses

• Phone numbers

• Social Security numbers

• Driver’s license or ID numbers

Online Identifiers

This is a very important category of personal information, because virtually every website collects some form of this data from each of its visitors.

• IP addresses

• Cookies

• Tracking pixels

• Device identifiers

Internet Activity

Internet activity is commonly tracked for marketing and analytics purposes, and is a strong privacy concern for many consumers.

• Browsing history

• Web page interactions

• Email open and click-through rates

• Search history

Commercial & Financial Information

This type of personal information is usually tracked meticulously, as it relates how consumers spend their money and the ways they pay for purchases.

• Purchase history and tendencies

• Credit card numbers

• Bank account numbers

• Account access credentials

• Signature scans

• Insurance policy numbers

Geolocation Data

Geolocation data can be easily collected not just through GPS location sharing, but also other means such as information provided via internet service providers.

• Broad geolocation (such as city-level location)

• Precise geolocation (within 1850 feet)

Biometric Data

Biometric data is of particular sensitivity because it can never be changed.

• Fingerprints

• Iris scans

• Facial scans

• Genetic data

• Voiceprints

Physical, Visual & Audio Data

Though distinct from biometric data, other categories of personal information still relate physically to a particular person.

• Physical characteristics (e.g. height, weight, skin color, eye color, etc.)

• Voice recordings

• Photos

• Videos

Protected Characteristics

These categories of data relate to personal characteristics protected by state and federal laws.

• Race or color

• Sex or gender

• Sexual orientation

• Citizenship or immigration status

• Religion

• National origin

• Familial or marital status

• Medical condition or disability

• Veteran status

• Political affiliation

• Union membership

Professional Information

This type of data most often is collected in the employment context.

• Non-public education records

• Work history

• Certifications and degrees

• Performance reviews

Inferences

Information about a particular consumer that has been derived from existing personal information is itself considered personal information.

• Predictions of future spending behavior

• Psychological trends

• Conclusions about a person’s intelligence, abilities, or aptitudes

Get Help with Your Privacy Compliance

This list of examples of CCPA personal information is by no means exhaustive; hopefully it is clear that there can never be an exhaustive list of what is considered personal information. Businesses continue to collect data in new and inventive ways, so when trying to decide if some particular type of data is personal information, it always comes back to the principal question: is it information that relates to a particular person? If so, then it is personal information.

This is just one feature of the increasingly complex landscape of privacy compliance in the United States. Individual states continue to pass their own versions of privacy legislation, every one of which is a little different and warrants its own consideration.

TrueVault simplifies privacy compliance for businesses that don’t have their own in-house privacy expert. Through a step-by-step process, our software can guide any business to compliance, and includes the tools and integrations to help them stay compliant. You can onboard vendors, create a data map, and be ready to respond to privacy requests in a matter of hours. Even better, as new state laws are passed, they are added to your Privacy Center at no additional cost! 

To view a demo of how TrueVault works, contact our team today.