How CPRA Defines Personal Information

At a glance

• CPRA defines personal information (PI) as information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
• To comply with CPRA's requirements on personal information, businesses must provide a notice at collection and an easily accessible privacy policy.
• CPRA also introduced the concept of 'sensitive personal information,' a subset of PI that wasn't included in CCPA, and requires that business give consumers the ability to request that businesses limit their processing of this type of data.

Table of contents

• How does the CPRA define personal information?
• Sensitive personal information under CPRA
• Businesses’ obligations for personal information under CPRA
• Consumer rights for personal information under CPRA
• Do CCPA and CPRA handle personal information differently?

How does the CPRA define personal information?

The CPRA and CCPA have similar definitions for personal information (PI). On the California attorney general’s FAQ page for CCPA, personal information is described as data that “identifies, relates to, or could reasonably be linked with you or your household.”

The text of the CPRA offers a similar definition, stating that personal information: 

To augment these fairly broad definitions the attorney general (AG) offers a few examples of what personal data looks like in practical terms, stating that PI can include a person’s: 

• Name
• Social security number
• Driver’s license number
• Passport number
• Fingerprints (and other biometric information)
• Employment information
• Location data
• Email address
• Purchase history
• Browsing history

Personal information also includes inferences made about an individual based on their personal data with the purpose of creating a consumer profile. 

Three building blocks

Golden Data Law offers a beautifully in-depth analysis of how privacy lawyers and others can approach the CPRA definition of personal information, breaking down the definition discussed above into three distinct categories: 

• Information
• That identifies, relates to, etc
• A particular consumer or household

We’ll summarize this framework below, but highly recommend you read the full article. 

Information 

According to Golden Data Law, both objective and subjective statements count as “information.” Whether or not someone purchased a particular item is an objective statement, whereas a subjective statement offers an opinion or personal perspective.

In this analysis, information can include statements (whether or not they’re proven to be true or false), graphics and sounds, and general communications. All of these may fall under the CPRA definition of personal information, assuming they meet the thresholds outlined within the text.

As an interesting aside, this article argues that unless communications are understandable to humans (as opposed to computers), they may not count as information under CCPA/CPRA.

That identifies, relates to, etc.

This portion of the definition is the most expansive and will likely prove to be the most interesting from a legal precedent point of view. Information that identifies an individual can be quite cut and dry—fingerprints, for example, very clearly identify a specific person. For other types of information, however, it's not as simple.

Take data gathered by cookies and adtech as an example. It isn’t necessarily personal information by virtue of its contents, as it can relate to browser or caching configurations. But in practice, this type of data is most often used to build profiles of individuals for the purpose of targeted advertising. And though these profiles are technically tied to a device, not a person, it still counts as identifiable because a device can be used to pinpoint a specific person. 

The language around directly or indirectly is what makes this portion of the definition so broad, as many types of data, especially data aggregates, can be used to identify individuals and households.

A particular consumer or household

This portion of the definition is pretty straightforward—the CPRA defines “consumers” as California residents. As long as they live in California, this also covers employees. 

Defining consumers as residents also means that deceased individuals, unborn children, and those who move to another state (even if they were previously living in California) are not protected by CPRA.

What is not personal information under CPRA?

Publicly available information, meaning data that’s available in local, state, or federal records, is not considered personal information under CPRA.

Examples of publicly available information include property records, professional licenses, or information that a consumer has purposefully made available to the general public. 

Certain medical and financial information is also exempted from CPRA, as those data types are already covered by existing federal data protection laws—HIPAA for medical data and GLBA for financial data. 

Sensitive personal information

Though CCPA and CPRA share a similar definition of personal information, CPRA did add a new category of PI: sensitive personal information (SPI). Understanding the difference between PI and SPI will be important for California businesses working towards compliance.

According to the CPRA, sensitive personal information refers to personal information that reveals a consumer’s: 

• Social security number
• Driver’s license number
• Passport number
• Log-in information
• Financial information (account numbers, access codes, passwords, etc.)
• Credit or debit card numbers
• Precise location
• Racial or ethnic origin
• Religious beliefs
• Contents of communications (email, mail, texts)
• Health data
• Genetic data
• Sexual orientation

As you can see, there’s definitely overlap between PI and SPI—one way to think about the relationship between the two is that all SPI is PI, but not all PI is SPI. Say that five times fast!

The SPI designation is important because it gives consumers new rights that weren’t available under CCPA. Under CPRA, consumers have the right to opt-out of the processing of their sensitive personal information—meaning businesses must give consumers a way to make that request, and then honor and fulfill a consumer’s request once received. 

Businesses’ obligations for personal information under CPRA

Businesses have a few clear obligations in regards to personal information under CPRA: providing a comprehensive privacy policy and a notice at collection. 

Remember, when it comes to sensitive personal information, they must also honor and fulfill consumer requests to opt-out of processing, but for simple PI the bar is a bit lower. 

Privacy policy

Privacy policies are one of the more visible aspects of CPRA compliance.

They must be accessible via a conspicuous link on a business’s website and include detailed information on a consumer's privacy rights, as well as how the organization handles personal information across 12 defined categories.

These categories include identifiers like a consumer’s name, home address, or social security number, personal characteristics like age, genetic information, or race, and more. A privacy policy must disclose whether your business collects, sells, or shares each of these data types and include information on how the data is being used.

The CPRA requires businesses to update their privacy policy every 12 months in order to reflect any new and/or modified consumer rights.

Notice at collection

Under CPRA, if a business is collecting consumer information they must, at the point of collection, disclose: 

• the categories of personal information being collected
• the purposes for which the data will be used
• whether that PI will be sold to or shared with third parties
• how long each category of PI, including SPI, will be retained

The CPRA also requires that businesses provide a link to their privacy policy in their notice at collection, as well as instructions on how to exercise consumer rights under the law. 

Once the notice has been given, businesses may not collect additional categories of personal information or use PI for purposes inconsistent with those disclosed in the initial notice.

Consumer rights for personal information under CPRA

Access

Consumers may request access to any personal data a business has collected.

Deletion

So long as the consumer's identity can be verified, businesses are required to delete a consumer's data upon request. They must also direct vendors and other service providers to do the same.

Correction

Consumers can ask a business to make corrections to their personal data. If the business receives a correction request, they must exert "reasonable" effort to do so.

Opt-out

Consumers may request that a business stop selling or sharing their personal information.

Limit use

Consumers have the right to tell a business to limit the use of their sensitive personal information to activities that are strictly "necessary” for providing a good or performing a service.

Non-discrimination

Businesses may not discriminate against a consumer, in the form of denying service or charging a higher price, for exercising their data rights under the CPRA.

Businesses may, however, offer an incentive or bonus in exchange for a consumer’s personal information.

Do CCPA and CPRA handle personal information differently?

Yes, but only slightly. 

Though the CPRA mandates greater regulation in some areas, compared to the CCPA, it actually offers a wider range of exceptions. Under CCPA, publicly available information (such as public records) are excluded from the law. 

But under CPRA, truthful information that a consumer made available to the public, or is a matter of public concern, is also excluded. 

The other key difference is the addition of the sensitive personal information sub-category, which we cover in greater detail above. 

Learn more about the differences between CCPA and CPRA.

About Transcend

Has your organization has been impacted by the California Privacy Rights Act or other consumer privacy laws? Transcend, an all-in-one platform for modern privacy and data governance, can help you ensure compliance.

Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for state privacy laws coming online in 2024.

From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.