CCPA: What is Personal Information?

By Nic Villasenor/ Published on December 20, 2019

When it comes to privacy laws, definitions matter. As we’ve discussed, the California Consumer Privacy Act (CCPA) gives a broad definition of personal information. In this post, we’ll look at where the definition has a wider application and where it’s a bit more narrow.

Definition of personal information under CCPA

The CCPA defines “personal information” to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

What does that mean, exactly?

You might want to review the text of the law yourself, but here are the various categories of personal information covered under CCPA:

  • Behavioral profile — Inferences drawn to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

  • Biometric information — An individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, and sleep, health, or exercise data that contain identifying information

  • Commercial information — Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

  • Contact information — Name, alias, email, phone number, address

  • Device information — Browser, device, screen resolution

  • Financial information — Payment information, bank information

  • Geolocation information — IP address, GPS coordinates

  • Government identifier — SSN, passport number

  • Health insurance information — Group number, subscriber number

  • Internet and electronic activity information — Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web Site, application, or advertisement

  • Medical information — Conditions, symptoms, treatment, diagnoses

  • Non-public education information — School records

  • Professional or employment information — Employment information

  • Protected class information — Race, color, sex, age (40 and older), religion, national origin, disability, citizenship status, genetic information, sexual orientation, gender identity or gender expression, ancestry, AIDS/HIV, disability: physical or mental, marital status, military or veteran status, political affiliations or activities, status as victim of domestic violence, assault, or stalking

  • Sensory information — Audio, electric, visual, thermal, olfactory, or similar information

This is the definition of Personal Information — the information for which CCPA grants California consumers certain rights: the right to be informed, right to access, opt in/out, request deletion, and the right to non-discrimination.


If you’re already compliant with GDPR, you’ll find it a lot easier to come into compliance with CCPA, but there’s still work to be done as GDPR has a narrower definition of personal information.

The CCPA covers “consumers” who are natural persons who reside in California, whereas the GDPR protects “data subjects,” who count as natural persons in the EU, and doesn’t identify specific residency or citizenship requirements.

Why this matters to you

The first step to becoming compliant is understanding what personal information you store and where. If you haven’t already created a data map for your business, you will need to. If you did so for GDPR, you’ll probably need to increase the scope of any data management tools or processes to be more comprehensive. We’ll talk more about how to build a data map in future blog posts.

Talk To Our Team

Latest Posts

TrueVault Safe free for COVID-19 projects

Who gets rights under CCPA?

CCPA: What is Personal Information?

Mailing List