The California Consumer Privacy Act (CCPA) came into effect four years after the General Data Protection Regulation (GDPR) was adopted. Despite coming at the heels of the GDPR, the recent California privacy law promptly established and defined its own concepts around consumer-related data.
What is personal information?
The CCPA maintains a broad definition of “personal information” or PI, referring to it as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The categories of personal information includes but is not restricted to:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Customer records such as name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information
- Characteristics of protected classifications under California or federal law such as race, ancestry, national origin, religion, age, mental and physical disability, sex, sexual orientation, gender identity, medical condition, genetic information, marital status, or military status
- Commercial information such as records of personal property, products or services purchased, or purchasing or consuming histories
- Biometric information
- Internet or other electronic network activity information such as browsing history, search history, or information regarding a consumer’s interaction with a website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information not considered publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act
- Inferences that can create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes
What is not considered personal information?
While personal information is broadly defined, other categories are specifically excluded from this definition including:
- Publicly available information, meaning information that is available from federal, state, or local government records
- Pseudonymized and de-identified information or aggregated and de-identified information that cannot be reasonably be linked to an individual
Why this distinction matters
Understanding and properly defining personal information under the CCPA enables organizations to create a system of record that can more effectively address compliance requirements. Without that understanding, personal information will likely be misclassified from the start. Misclassified data may lead organizations to undercount or overcount the personal information it possesses. It may also lead to inconsistent definitions of personal information, thus complicating the process of retrieving personal information for privacy use cases.
The proper classification of personal information supports the following privacy use cases:
- Disclosures: inform the public what categories of personal information on consumers are collected and for what purpose
- Consumer rights requests: respond quickly, confidently, and consistently to all applicable data subject requests, no matter which privacy manager or data steward is fulfilling the request
- Policy enforcement: know what personal information exists and where it’s located, allowing organizations to monitor and enforce data use policies
How Collibra can help you manage personal information
Organizations that collect, sell, or use personal information of California consumers most likely need to comply with the CCPA. Collibra Data Privacy enables organizations to:
- Identify data that may be considered personal information under the CCPA
- Uncover personal information hidden across the hundreds of systems and data repositories
- Classify data into multiple categories as appropriate under the CCPA and other regulatory definitions
- Establish a glossary clearly defined terminology across departments that manage data
Sustainable CCPA compliance starts with a solid foundation for managing personal information. This foundation provides compliant access to and visibility of data that supports CCPA requirements around public disclosures of data use to timely responses for consumer rights requests.