At a glance
CPRA defines personal information (PI) as information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
CPRA also introduced the concept of 'sensitive personal information,' a subset of PI that wasn't included in CCPA, and requires that business give consumers the ability to request that businesses limit their processing of this type of data.
Table of contents
How does the CPRA define personal information?
The CPRA and CCPA have similar definitions for personal information (PI). On the California attorney general’s FAQ page for CCPA, personal information is described as data that “identifies, relates to, or could reasonably be linked with you or your household.”
The text of the CPRA offers a similar definition, stating that personal information:
“identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
To augment these fairly broad definitions the attorney general (AG) offers a few examples of what personal data looks like in practical terms, stating that PI can include a person’s:
Social security number
Driver’s license number
Fingerprints (and other biometric information)
Personal information also includes inferences made about an individual based on their personal data with the purpose of creating a consumer profile.
Three building blocks
Golden Data Law offers a beautifully in-depth analysis of how privacy lawyers and others can approach the CPRA definition of personal information, breaking down the definition discussed above into three distinct categories:
That identifies, relates to, etc
A particular consumer or household
We’ll summarize this framework below, but highly recommend you read the full article.
According to Golden Data Law, both objective and subjective statements count as “information.” Whether or not someone purchased a particular item is an objective statement, whereas a subjective statement offers an opinion or personal perspective.
In this analysis, information can include statements (whether or not they’re proven to be true or false), graphics and sounds, and general communications. All of these may fall under the CPRA definition of personal information, assuming they meet the thresholds outlined within the text.
As an interesting aside, this article argues that unless communications are understandable to humans (as opposed to computers), they may not count as information under CCPA/CPRA.
That identifies, relates to, etc.
This portion of the definition is the most expansive and will likely prove to be the most interesting from a legal precedent point of view. Information that identifies an individual can be quite cut and dry—fingerprints, for example, very clearly identify a specific person. For other types of information, however, it's not as simple.
Take data gathered by cookies and adtech as an example. It isn’t necessarily personal information by virtue of its contents, as it can relate to browser or caching configurations. But in practice, this type of data is most often used to build profiles of individuals for the purpose of targeted advertising. And though these profiles are technically tied to a device, not a person, it still counts as identifiable because a device can be used to pinpoint a specific person.
The language around directly or indirectly is what makes this portion of the definition so broad, as many types of data, especially data aggregates, can be used to identify individuals and households.
A particular consumer or household
This portion of the definition is pretty straightforward—the CPRA defines “consumers” as California residents. As long as they live in California, this also covers employees.
Defining consumers as residents also means that deceased individuals, unborn children, and those who move to another state (even if they were previously living in California) are not protected by CPRA.
What is not personal information under CPRA?
Publicly available information, meaning data that’s available in local, state, or federal records, is not considered personal information under CPRA.
Examples of publicly available information include property records, professional licenses, or information that a consumer has purposefully made available to the general public.
Certain medical and financial information is also exempted from CPRA, as those data types are already covered by existing federal data protection laws—HIPAA for medical data and GLBA for financial data.
Sensitive personal information
Though CCPA and CPRA share a similar definition of personal information, CPRA did add a new category of PI: sensitive personal information (SPI). Understanding the difference between PI and SPI will be important for California businesses working towards compliance.
According to the CPRA, sensitive personal information refers to personal information that reveals a consumer’s:
Social security number
Driver’s license number
Financial information (account numbers, access codes, passwords, etc.)
Credit or debit card numbers
Racial or ethnic origin
Contents of communications (email, mail, texts)
As you can see, there’s definitely overlap between PI and SPI—one way to think about the relationship between the two is that all SPI is PI, but not all PI is SPI. Say that five times fast!
The SPI designation is important because it gives consumers new rights that weren’t available under CCPA. Under CPRA, consumers have the right to opt-out of the processing of their sensitive personal information—meaning businesses must give consumers a way to make that request, and then honor and fulfill a consumer’s request once received.
Businesses’ obligations for personal information under CPRA
Remember, when it comes to sensitive personal information, they must also honor and fulfill consumer requests to opt-out of processing, but for simple PI the bar is a bit lower.
Privacy policies are one of the more visible aspects of CPRA compliance.
They must be accessible via a conspicuous link on a business’s website and include detailed information on a consumer's privacy rights, as well as how the organization handles personal information across 12 defined categories.
Notice at collection
Under CPRA, if a business is collecting consumer information they must, at the point of collection, disclose:
the categories of personal information being collected
the purposes for which the data will be used
whether that PI will be sold to or shared with third parties
how long each category of PI, including SPI, will be retained
Once the notice has been given, businesses may not collect additional categories of personal information or use PI for purposes inconsistent with those disclosed in the initial notice.
Consumer rights for personal information under CPRA
Consumers may request access to any personal data a business has collected.
So long as the consumer's identity can be verified, businesses are required to delete a consumer's data upon request. They must also direct vendors and other service providers to do the same.
Consumers can ask a business to make corrections to their personal data. If the business receives a correction request, they must exert "reasonable" effort to do so.
Consumers may request that a business stop selling or sharing their personal information.
Consumers have the right to tell a business to limit the use of their sensitive personal information to activities that are strictly "necessary” for providing a good or performing a service.
Businesses may not discriminate against a consumer, in the form of denying service or charging a higher price, for exercising their data rights under the CPRA.
Businesses may, however, offer an incentive or bonus in exchange for a consumer’s personal information.
Do CCPA and CPRA handle personal information differently?
Yes, but only slightly.
Though the CPRA mandates greater regulation in some areas, compared to the CCPA, it actually offers a wider range of exceptions. Under CCPA, publicly available information (such as public records) are excluded from the law.
But under CPRA, truthful information that a consumer made available to the public, or is a matter of public concern, is also excluded.
The other key difference is the addition of the sensitive personal information sub-category, which we cover in greater detail above.
Learn more about the differences between CCPA and CPRA.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.