CCPA PII definition
In the California Consumer Privacy Act (CCPA), personal information is defined as:
“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
According to the CCPA, person information is a broad category of all kinds of data ranging from the most straight-forward and intuitive personal data to things that might not at first sight seem like personal data at all.
CCPA categories of personal information
A list of what is defined under the CCPA as personal information includes:
- Direct identifiers such as real name, alias, postal address, email address, social security numbers, driver’s license, passport information and signature.
- Indirect identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names…
- Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data…
- Geolocation data such as location history via devices,
- Internet activity such as browsing history, search history, data on interaction with a webpage, application or advertisement.
- Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information.
In the CCPA, personal information has no format or medium limitation, which means that even pictures or sounds can qualify as personal information, if they fall under the definition in the law.
However, the definition in CCPA of personal information does not include de-identified/anonymized information, as well as aggregate information (i.e. information about multiple users that does not contain personally identifiable information) – with the exception of household data, which we’ll look at in a minute.
CCPA personal data
Under the CCPA, personal information has no format or medium restrictions, which means that additional privacy practices and requirements can extend to pictures, sounds, or other data sources if they fall under the personal information definition under the law.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a state-level data privacy regulation in the United States that empowers consumers with more control over how their personal information is used by commercial entities. CCPA requirements guide how organizations need to comply with the law.
What are consumers’ rights under the CCPA?
Consumers’ privacy rights included under the CCPA are:
- right to access: to learn whether and what data has been collected about them and have access to a copy of it
- right to know: if their information is being sold to or shared with third parties
- right to opt out: to decline consent for the sale or sharing of their personal data, or for targeted advertising or profiling
- right to deletion: to request that data collected about them be deleted and not used for further processing
Of note is that prior consent needs to be obtained from a parent or guardian before collecting or processing the data of known children (under 16 years of age). Additional rights were also introduced with the California Privacy Rights Act (CPRA) in 2023, so it is important to be up to date on those as well for fully regulatory compliance.
California PII Laws
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) that expanded and amended the CCPA, are two important regulations that impact how businesses handle the personal information of residents of California.
The CCPA, which went into effect on January 1, 2020, is designed to give California residents more control over their digital privacy and personal data. The law requires businesses to disclose what personal information they collect, how it is used, and to provide consumers with the ability to opt-out of the sale of their personal information.
The CPRA, which was approved by California voters in November 2020, builds upon the CCPA and expands privacy rights for consumers. It includes new requirements for businesses, such as providing consumers with the right to correct inaccurate personal information and limiting businesses’ use of sensitive personal information.
CCPA enforcement has begun
The CCPA was in effect when the CPRA was passed, and enforcement of the latter also began in March 2024. The California Privacy Protection Agency (CPPA) is now the enforcement authority, taking over from the California Attorney General’s office.
The California Privacy Rights Act (CPRA) is now law
The California Privacy Rights Act (CPRA) was passed in the general election on November 3, 2020.
The CPRA amends and expands the existing data privacy regime under the CCPA, giving new rights to California residents, strengthening business requirements and creating a whole new government agency responsible for enforcement.
The California Privacy Rights Act (CPRA) came into effect on January 1, 2023, with a look-back period to January 2022. Enforcement was initially supposed to begin on July 1, 2023, but was delayed due to legal challenges. Enforcement began after that was resolved, on March 29, 2024.
Personal information under CCPA
Using data (that is in itself not personal data) to draw inferences for the purpose of creating profiles on consumers, consisting of consumer behavior, convictions, preferences, intelligence, abilities and characteristics can be considered by CCPA as personal information.
This expansive definition in the CCPA of PII is a crucial leap for US data privacy, because it directly relates to the billion-dollar ad tech industry of behavioral advertisement based on personal data collection that studies show Americans are worried about and want regulated.
It means that using e.g. cookies, web beacons and social media plugins on your website can be a liability under the CCPA, if you or third parties either directly collect personal information through such means, or if you or third parties collect data that can be used to create identifiable profiles for the purpose of personalized advertisement.
What does the CCPA say about cookies?
In other words, if data has the potential to ultimately result in the identification of an individual, it can be deemed personal information under the CCPA, since the law defines personal information as “reasonably capable“ of being linked to an individual or a household.
In more words, CCPA’s personal information definition includes not only data that identifies, but data that makes the identification possible.
This includes website cookies, browser history and website analytics, such as monitoring user behavior on a domain (how long their mouse hovers on what, scroll speed, clicks and more), since these could, through combination and inference, lead to the identification of an individual.
CCPA household data definition
In the CCPA, personal information also covers a subgroup of data called household information.
Household information has been discussed vigorously since the CCPA passed into law and criticized for its ambivalent nature.
The CCPA’s personal information definition does not further specify what household data means or how it should be enforced.
However, the final CCPA regulations define household as:
”a person or group of people who reside at the same address, share a common device or the same service provided by a business and are identified by the business as sharing the same group account or unique identifier.”
Learn more about the final CCPA regulations and enforcement
Of note is that under the CPRA, “devices” have been removed from the compliance requirements and thresholds for households.
Find all cookies and trackers on your domain that collect and process end users’ personal information.
Cookiebot CMP, CCPA and personal information
If your business has a website, it is almost certain that you one way or another collect what is defined in the CCPA as personal information.
Compliance thresholds for the CCPA
While almost all websites collect data, the CCPA applies to a limited number of organizations. It only protects the personal data of residents of California, processed by commercial entities that:
- have annual gross revenues exceeding US $25 million in the preceding calendar year
or
- receive, buy, or sell personal information of 100,000 or more consumers or households
or
- earn more than 50 percent of their annual revenue from the sharing or sale of consumers’ personal information
Given the broad definition in the CCPA of personal information, first and third party cookies can be deemed indirect identifiers, reasonably capable of identifying an individual through the collection of personal information such as browser history, cross-site tracking, IP addresses, other behavioral data that trackers and plugins on your website collect on your end-users.
The Cookiebot CMP solution enables data controllers to provide transparency about data collection and use, and enables CCPA website compliance for businesses.
An important part of achieving CCPA compliance is for a business to know all of the data they collect and from where, how it’s stored, who has access to it, and how it’s used. For example, on the website: what cookies and trackers are in use, what data do they collect, which of them are set by third parties, and what do they do with that data? With the CCPA rights consumers now have, personal data is no longer a commodity that businesses can collect without limit, trade, share, or sell without any thought for the consumer. In California, personal information belongs to end users, who now have more control over who can access it, and for what purposes.
CCPA compliance with Cookiebot CMP
Any organization that is collecting data on California residents and meets compliance thresholds need to have reasonable security procedures in place to ensure that they adequately protect personal data they have collected. They also need to ensure processing of the data and sharing of it follows regulatory requirements. The law also requires such organizations to provide information about data collection and processing and user rights in a prominent place, most commonly via a CCPA privacy policy on the website.
Our solution works to protect privacy and human autonomy on our digital infrastructures, and we are thrilled to see strong data privacy laws emerging around the world – from Europe to the US.
Our CMP is a compliance solution for CCPA and GDPR – depending on what configuration you and your business needs and where in the world your end-users are located.
Cookiebot scans your website, uncovers all cookies and trackers in place and blocks them all from collecting personal information, until your end-users have given their consent to which trackers, they will allow activated, as is the strong privacy requirements of the European GDPR.
We also support the CCPA requirement of having a Do Not Sell My Personal Information link on a business’ website.
Try Cookiebot CMP for free today if your business and its websites have visitors or customers from California, and you collect personal information using cookies, trackers, social media plugins, and other tools on your domains.
Start your free 14-day trial nowThis way, you can enable and maintain your company’s compliance with the CCPA, CPRA and other potential privacy regulations. You can ensure transparency with your users about data collection, protection, and processing, as well as compliant consent choices. This is not only required by law, but also helps build trust and brand reputation as you demonstrate respect for user privacy.
FAQ
Personal information is defined as any information that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes names, addresses, social security numbers, driver’s license, location data, sensitive information about personal characteristics, religious or political convictions, sexual orientation, as well as internet activity such as browsing history, search history, IP addresses and more.
The consumer’s CCPA rights to request information include:
- personal information the business has collected about them
- sources from which the personal information is collected
- purposes for collecting and processing personal information
- categories of third parties and service providers with whom the business shares or to which it sells personal information
Consumers can also opt out of collection and processing of some data, e.g. sensitive information, as well as opt out of sharing or sale of their data. Consent for collection and processing of children’s data must be obtained before any data is collected.
Companies that receive requests from consumers exercising their rights must reply to or fulfill them within a reasonable time frame, or provide clear and reasonable reasons why they cannot fulfill the request or need additional time to do so.
Yes. Under the CCPA, cookies are classified as unique or persistent identifiers because of their ability to collect and process information that can be used to identify or reidentify a California resident. Most third-party cookies on websites will assign Unique IDs to a user’s browser that can be used to track the user across the Internet and across devices.
Companies and for-profit organizations that meet any of the following thresholds are defined as a business under the CCPA and must comply with the law, no matter where in the world they are located: have an annual gross revenue of more than $25 million, derive 50% or more of its annual revenues from selling consumers’ personal information or buy, receive, sell or share the personal information of 50,000 or more California residents per year.
Cookies are notoriously difficult to manage, since a large part are secretly loaded by other third-party cookies, and a majority of these will have changed on repeated visits. Using a consent management platform (CMP) that can scan and detect all cookies and trackers, then automatically control them until your users give their choice of consent or opt out can help make your website compliant with the CCPA.
Resources
How does a business become CCPA compliant?
What are the differences between the CCPA and EU’s GDPR?