Understanding Personal Information Under CCPA/CPRA: A Guide for California Businesses

The cornerstone of CCPA and CPRA compliance hinges on correctly understanding what constitutes “personal information.” California’s data privacy laws have a broad definition, making it essential for businesses to know what data points fall under these regulations. Let’s break down the key categories and recent updates that you need to be aware of.

What is Personal Information (PI) under CCPA/CPRA?

The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), have a broad definition of personal information (PI).  PI encompasses any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household.

Here is a breakdown of the categories of PI under the CCPA/CPRA:

CPRA’s Sensitive Personal Information (SPI)

The CPRA introduced the concept of ‘Sensitive Personal Information’ (SPI). This subset of PI requires heightened safeguards and consumer rights due to its potentially intimate or revealing nature. SPI includes:

– Social security number, driver’s license number, passport number;
– Account logins and financial information (credit/debit card numbers, etc.);
– Precise geolocation;
– Racial and ethnic origin;
– Religious beliefs;
– Genetic data;
– Personal communications (content of mail, email, texts);
– Health information;
– Sex life or sexual orientation.

Businesses handling SPI must implement stricter security measures, provide clear notice of SPI collection and use, and offer consumers ways to exercise their SPI rights. The CPRA gives consumers the right to know what SPI a business collects about them and limits a business’s use and disclosure of their SPI to essential business purposes.

2024 Updates: Employee and B2B Data

The CPRA significantly altered the privacy landscape by removing the blanket exemptions for employee and business-to-business (B2B) data. While not fully covered, the  CPRA now extends certain privacy rights to employees, job applicants, and contractors. Information like emergency contact details and HR-related data can now fall under the CCPA/CPRA scope. This change gives the covered categories of individuals the right to know what personal information is collected and how it’s used, request correction of inaccurate information, delete certain personal information and request the limit of the use of sensitive personal information. 

In addition to this, information collected in business-to-business transactions, such as names, job titles, and contact information of business representatives, now enjoys limited protection. Businesses are obligated to provide notice at collection regarding the categories of information collected and the purposes of its use, and individuals have the right to opt out of the sale and sharing of their B2B information. 

Certain exemptions remain in place for both employee and B2B data, particularly for information necessary to fulfill the employment or business relationship.

What Your Business Needs To Do

Thorough data mapping

Identify all types of personal information you collect, store, and process. Pay special attention to the sources of PI (customers, employees, business contacts, etc.), types of PI (identifiers, commercial information, etc.), and whether you collect any SPI.

Classify data

Categorize all PI according to CCPA/CPRA definitions. Designate any SPI, ensuring it receives heightened protection. Mark any employee or B2B data now falling under partial regulation.

Update policies and procedures

Ensure your privacy policy and data handling practices reflect correct classifications, consumer rights, and SPI safeguards

Secure SPI

Implement stricter security measures for sensitive personal information. Consider encryption, access controls, and incident response plans.

Respond to requests

Prepare to respond to consumer requests with the extended privacy rights to employee and B2B data related to access, deletion, and limiting SPI use.

Staying Ahead

This blog post has outlined the various categories of PI and the special protections afforded to sensitive personal information (SPI). However, applying these definitions to your specific business practices can be challenging.

Partnering with privacy professionals like ourselves at GDPRLocal can provide tailored insights and strategies to help you:
– Accurately map and classify your business’s unique data flows;
– Implement safeguards that specifically address SPO handling;
– Develop clear privacy notices and processes that meet legal requirements:
– Build a strong privacy program that minimizes compliance risks and fosters consumer trust.