The Statute

The CCPA uses a two-part definition of personal information, followed by a list of exemplar information types that qualify as “personal,” assuming there is some linkage between the information in question and a California consumer:

“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

A. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

B. Any categories of personal information described in subdivision (e) of Section 1798.80 [i.e., the state’s secure records disposal statute].

C. Characteristics of protected classifications [i.e., race, color, sex, etc.] under California or federal law.

D. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

E. Biometric information.

F. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.

G. Geolocation data.

H. Audio, electronic, visual, thermal, olfactory, or similar information.

I. Professional or employment-related information.

J. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

K. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. 1

The inclusion of “indirectly” in both parts of the definition means that information that is perhaps only tangentially linked to a person or is otherwise attenuated, such as geolocation information, is personal, and businesses that process that information are subject to the strictures of the Act. This greatly expands the scope of what qualifies as “personal.” The fact that the list of exemplars includes inferences made about other personal information on the list is particularly noteworthy; not even the EU General Data Protection Regulation’s (GDPR) definition of personal data includes that. 2 Another difference between the CCPA and the GDPR approach to “personal” is that the latter has singled out some types of data as “special,” such as data about race, ethnicity, religious beliefs, etc., that are included as “regular” personal information by the former. Publicly available information, properly de-identified data, and aggregate consumer information are not considered personal information. 3

The Regulations

The CCPA Regulations do not address the definition of personal information. With respect to personal information that is deidentified or in the aggregate the Regulations state that:

  • A business may comply with a request to delete their personal information by “deidentifying the personal information” or “aggregating the consumer information.” 4
  • “If a business maintains consumer information that is deidentified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.” 5

1. Cal. Civ. Code §1798.140(o).
2. However, the GDPR does proscribe profiling except under conditions; data subjects “have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Art. 22(1).
3. Cal. Civ. Code §1798.140(o)(2)-(3).
4. CCPA Regulations §999.313(d)(2)(b)-(c).
5. CCPA Regulations §999.323(f).