The California Consumer Privacy Act (CCPA), the United States’s strictest and most comprehensive data privacy law, has the broadest definition of “personal information” of any law in effect—including the European Union’s General Data Protection Regulation (GDPR). The law is so sweeping that it includes 11 categories of personal information.

The CCPA aims to prevent the sale or sharing of California residents’ (“consumers”) personal information without their permission—but it protects more than the conventional types of “personal data” such as name, telephone number, and social security number. The law considers a person’s browsing and search history, geolocation data, biometrics, and other types of information that has not been “de-identified” to be worthy of regulation, as well. 

The CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

It establishes the following categories of personal information: 

  1. Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  2. Customer records information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information
  3. Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, age
  4. Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  5. Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data
  6. Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
  7. Geolocation data
  8. Audio, electronic, visual, thermal, olfactory, or similar information
  9. Professional or employment-related information
  10. Education information: Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
  11. Inferences

The law also includes inferences that could be used to create a profile reflecting a consumer’s: 

  • Preferences
  • Characteristics
  • Psychological trends
  • Predispositions
  • Behavior
  • Attitudes
  • Intelligence
  • Abilities
  • Aptitudes

It gives the California attorney general the power to add categories of personal information to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.

What isn’t personal information

The CCPA’s definition of personal information does not include publicly available information. That would be data contained in publicly available federal, state, or local government records.

Certain types of information are exempt from CCPA regulation, including certain financial information and medical information regulated by the Health Information Portability and Accountability Act (HIPAA). 

Why the categories matter

The CCPA establishes new consumer rights regarding personal information. Under the law, businesses that collect personal information from consumers must inform them at or before the time of collection that they are doing so. Businesses must disclose the categories of information they are collecting and the purpose for which it will be used.

Those businesses must also provide a “Do Not Sell My Personal Information” button or link on their website’s home page.

If it receives a verifiable consumer request, a business must respond with:

  • Which categories of personal information it has collected about the consumer
  • The categories of sources of that information 
  • Its business or commercial purpose for collecting or selling it
  • Which categories of third parties, such as service providers, with which it shares personal information
  • Specific pieces of personal information the business has collected about the consumer

When selling a consumer’s personal information or disclosing it for a business purpose, a business must disclose, upon request: 

  • The categories of personal information the business has collected about the consumer
  • The categories of the consumer’s personal information the business has sold and the categories of third parties to which it sold the data 
  • Which categories of the consumer’s personal information the business has disclosed for a business purpose