• Products
    • Products

      • Governance Suite Use Spirion’s suite to enhance data security posture management
      • Sensitive Data Platform Scan, classify, remediate using SaaS solution
      • Sensitive Data Finder Automate Subject Rights Request processing
      • Sensitive Data Watcher Actively monitor and understand your data
      • Sensitive Data Manager Scan, classify, remediate using on-premise solution
    • Learn more

      • Data Risk Assessment Audit how your organization protects its sensitive data before a data breach occurs
      • Incident Response Data Risk Assessment Incident response assessment for swift and accurate data breach mitigation
      • Interrogated Platforms More data sources than anyone including both unstructured and structured data
      • Integrated Solutions Explore connections with IRM/DRM, SIEM, DLP, NGFW, CASB, and other security apps
      • Marketplace Integrate with security tools and explore resources to boost data protection
    • Bundles

      • Governance Suite Use the entire Spirion suite to enhance data security posture management
      • Data Security Bundle Safeguard data from malicious activity. Extend Spirion SDP with SD Watcher’s powerful user and entity behavior analytics
      • Data Privacy Bundle Integrate SD Finder into Spirion SDP for swift, precise, and automated response to SRRs, reducing errors and regulatory compliance risks
    • Sensitive Data Governance Framework

      Our framework outlines key stages of readiness to safeguard sensitive data and maintain compliance.
      Review Framework
  • Solutions
    • Industry Solutions

      • eCommerce
      • Finance
      • Healthcare
      • Higher Education
      • Manufacturing
      • Telecommunications
    • Security & Privacy Use Cases

      • DISCOVER: Sensitive data-at-rest is data-at-risk
      • CLASSIFY: Unify data governance efforts with context-rich classification
      • UNDERSTAND: Prioritize your data protection efforts with a DRA
      • CONTROL: Reduce the risk and cost of a data breach
      • COMPLY: Accelerate PCI-DSS compliance
      • COMPLY: Safeguard PII data to pass GLBA audits
    • Compliance

      • Overview
      • GDPR
      • CCPA
      • CMMC
      • CPRA
      • GLBA
      • HIPAA
      • The New York SHIELD Act
      • PCI DSS
      • Other
    • Cloud, servers, endpoints - wherever sensitive data lives, Spirion protects it.

      Everywhere is our territory.
  • Resources
    • Insights

      • Blog
      • Case Studies, White Papers, & Research
      • Podcast
    • Core Expertise

      • How to take a data-centric approach to security
      • What are cyber insurance requirements?
      • What is data lifecycle management?
      • What is data loss prevention?
      • What is a data risk assessment?
      • What is endpoint security?
      • What is a sensitive data governance framework?
    • Core Capabilities

      • Data Discovery Software Tools: Capabilities and Benefits
      • What is sensitive data discovery?
      • What is semantic data discovery?
      • What is data classification?
      • What is data remediation?
    • Cloud, servers, endpoints - wherever sensitive data lives, Spirion protects it.

      Everywhere is our territory.
  • Partners
  • Support
    • Support

    • Customer Success
    • Professional Services
    • Technical Support
    • Service Level Addendum (SLA)
    • Customer Support Policy
  • Company
    • Company

    • About Us
    • Careers
    • Leadership
    • News
    • Our History
  • Search
  • Customer Portal
  • Contact
 Watch demo now
Watch demo now
  • Products
    • Governance Suite
    • Sensitive Data Platform
    • Sensitive Data Finder
    • Sensitive Data Manager
    • Sensitive Data Watcher
    • Learn more
      • Sensitive Data Governance Framework
      • Spirion Data Risk Assessment
      • Platforms Interrogated
      • Integrated Solutions
      • Marketplace
  • Solutions
    • Industry Solutions
      • eCommerce
      • Finance
      • Healthcare
      • Higher Education
      • Manufacturing
      • Telecommunications
    • Security Use Cases
      • DISCOVER: Sensitive data-at-rest is data-at-risk
      • CLASSIFY: Unify data governance efforts with context-rich classification
      • UNDERSTAND: Prioritize your data protection efforts with a DRA
      • CONTROL: Reduce the risk and cost of a data breach
      • COMPLY: Accelerate PCI-DSS compliance
      • COMPLY: Safeguard PII data to pass GLBA audits
    • Compliance
      • Overview
      • GDPR
      • CCPA
      • CMMC
      • CPRA
      • GLBA
      • HIPPA
      • The New York SHIELD Act
      • PCI DSS
      • Other
  • Resources
    • Insights
      • Blog
      • Case Studies, White Papers, & Research
      • Podcast
      • Upcoming Events
    • Core Expertise
      • How to take a data-centric approach to security
      • What are cyber insurance requirements?
      • What is data lifecycle management
      • What is data loss prevention?
      • What is a data risk assessment?
      • What is endpoint security?
      • What is a sensitive data governance framework?
    • Core Capabilities
      • Data Discovery Software Tools: Capabilities and Benefits
      • What is sensitive data discovery?
      • What is semantic data discovery?
      • What is data classification?
      • What is data remediation?
  • Partners
  • Support
    • Customer Success
    • Professional Services
    • Technical Support
    • Service Level Addendum (SLA)
    • Customer Support Policy
  • Company
    • About Us
    • Become a Partner
    • Careers
    • Newsroom
    • Our approach
    • Privacy at Spirion
    • Our History
  • Customer Portal
  • Contact
Watch demo now
  • CCPA Summary and Key Issues

  • Consent
  • Enforcement
  • Financial Incentives
  • Jurisdictional Thresholds
  • Information Security
  • Marketing and Advertising
  • Notices to Consumers
  • Personal Information
  • Privacy Policy
  • Requests for Disclosure of Personal Information
  • Requests for Deletion
  • Service Providers
  • Sales of Minors’ Information
  • Sales to Third Parties
  • Verification of Requestors
Download View CCPA Act

Personal Information

The Statute

The CCPA uses a two-part definition of personal information, followed by a list of exemplar information types that qualify as “personal,” assuming there is some linkage between the information in question and a California consumer:

“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

A. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

B. Any categories of personal information described in subdivision (e) of Section 1798.80 [i.e., the state’s secure records disposal statute].

C. Characteristics of protected classifications [i.e., race, color, sex, etc.] under California or federal law.

D. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

E. Biometric information.

F. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.

G. Geolocation data.

H. Audio, electronic, visual, thermal, olfactory, or similar information.

I. Professional or employment-related information.

J. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

K. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. 1

The inclusion of “indirectly” in both parts of the definition means that information that is perhaps only tangentially linked to a person or is otherwise attenuated, such as geolocation information, is personal, and businesses that process that information are subject to the strictures of the Act. This greatly expands the scope of what qualifies as “personal.” The fact that the list of exemplars includes inferences made about other personal information on the list is particularly noteworthy; not even the EU General Data Protection Regulation’s (GDPR) definition of personal data includes that. 2 Another difference between the CCPA and the GDPR approach to “personal” is that the latter has singled out some types of data as “special,” such as data about race, ethnicity, religious beliefs, etc., that are included as “regular” personal information by the former. Publicly available information, properly de-identified data, and aggregate consumer information are not considered personal information. 3

The Regulations

The CCPA Regulations do not address the definition of personal information. With respect to personal information that is deidentified or in the aggregate the Regulations state that:

  • A business may comply with a request to delete their personal information by “deidentifying the personal information” or “aggregating the consumer information.” 4
  • “If a business maintains consumer information that is deidentified, a business is not obligated to provide or delete this information in response to a consumer request or to re-identify individual data to verify a consumer request.” 5

1. Cal. Civ. Code §1798.140(o).
2. However, the GDPR does proscribe profiling except under conditions; data subjects “have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Art. 22(1).
3. Cal. Civ. Code §1798.140(o)(2)-(3).
4. CCPA Regulations §999.313(d)(2)(b)-(c).
5. CCPA Regulations §999.323(f).

Ready to get started?

Schedule a personalized demo with one of our data security experts to see Spirion data protection solutions in action.

Watch demo now
Discover, protect and comply.

Protect sensitive information with a solution that is customizable to your organizational needs. When your job is to protect sensitive data, you need the flexibility to choose solutions that support your security and privacy initiatives.

Governance Suite →

Industry Solutions

Not knowing where sensitive client financial data resides and failing to take the right security precautions can be a costly mistake for your organization. Find out how Data privacy is treated in your sector.

Read more →

  • Products
    • Sensitive Data Platform
    • Sensitive Data Finder
    • Sensitive Data Watcher
  • Solutions
    • What is sensitive data discovery?
    • What is data loss prevention?
    • What is data classification?
    • Security Use Cases
  • Compliance
    • News
    • Services
  • Need Help?
    • Customer Portal
    • 646-863-8301​​​​​​​​​​​​​​​​​​​​​
    • 3030 North Rocky Point Drive West,
      Suite 470
      Tampa, FL 33607
LATEST BLOG POSTS
  • Ransomware Prevention Checklist: 7 Steps to Secure Your Data
  • Why accurate data discovery is essential to comprehensive data protection
  • Mastering Data Breach Evaluation with Spirion’s Incident Response

© 2023 Spirion, LLC. All Rights Reserved

  • Legal
  • Privacy
  • Sitemap