Skip to main content

CCPA/CPRA

20 min read

How to Identify and Protect Personal Information Under CCPA

By Safna December 16, 2024

How to Identify and Protect Personal Information Under CCPA

Data generation is skyrocketing every day, currently reaching over 402.74 million terabytes a day globally. This means the internet is flooded with personal information—names, private emails, IP addresses, customer profiles, and sensitive information. Along with it come privacy laws like CCPA, which make understanding and protecting consumer information no longer optional. Read on to get the full spin on CCPA personal information.

What is personal information under CCPA?

The California Consumer Privacy Act defines personal information as any information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. 

A consumer is a living person residing in California identified by any means including unique identifiers. Any individual who fits in the definition of resident under section 17014 of Title 18 is a California resident under CCPA.

The California law further defines a household as a group of consumers who cohabitate with one another at the same residential address and share the use of common devices or services.

Publicly accessible, de-identified and aggregate data are not personal information under CCPA. Additionally, certain types of information regulated by federal laws, such as medical information under the Medical Information Act, do not fall under the definition of CCPA personal information.

Data that cannot directly identify an individual may still be considered personal information if it can identify the consumer when combined with other information, like that in the hands of a service provider.

Categories of CCPA personal information 

Under CCPA, the following categories of data are listed as personal information if they can identify an individual. 

  • Identifiers
    • Real or alias name
    • Signatures 
    • Postal address
    • Unique personal identifiers
    • Online identifiers such as IP addresses
    • Account name
  • Contact information
    • Email addresses 
    • Telephone numbers
  • Identification numbers
    • State identification number
    • Social security number 
    • Driver’s license number
    • Passport number
    • Insurance policy number
  • Characteristics
    • Physical characteristics or description
    • Characteristics of protected classifications under California or federal statutes such as race, religion or ancestry
  • Professional information
    • Professional/employment-related information
    • Employment history
  • Education information that is not publicly available personal information as defined in Family Educational Rights and Privacy Act 
  • Financial information 
    • Credit card or debit numbers
    • Medical or health insurance information
  • Commercial information
    • Records of personal property
    • Products/services purchased, obtained or considered
    • Other purchasing history/tendencies
  • Biometric information
  • Electronic activity information such as browsing or search history
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Any inferences drawn using any of the above data to create a profile

The California Privacy Rights Act (CPRA) amendments added sensitive personal information such as citizenship, precise geolocation, religious beliefs, union membership, and sexual orientation to CCPA’s definition of personal information.

Note that, this list is not exhaustive and may include similar identifiers and types of information. 

Are cookies and other tracking technologies CCPA personal information?

Cookies, pixels or similar tracking technologies have become integral to online operations such as website functioning, analytics and digital marketing. They are classified as personal data/information under most privacy laws including California’s CCPA. 

When an individual visits a website, small files called cookies are deployed on user devices. Though they are not personal information by themselves, these cookies store information such as browsing activities, search history, preferences, location, etc. This information can then be used to create profiles of specific individuals or target advertisements that relate to consumers.

Therefore cookies, especially the non-essential ones like those for advertisement purposes are regulated by laws like CCPA and GDPR.

How to identify personal information in your organisation?

If you are an organisation doing business in California or with Californians, it is crucial to identify the personal information that you possess. Here is a step-by-step guide to help you identify and manage CCPA personal information effectively.

#1 Understand what qualifies as CCPA personal information

You cannot guard what you cannot identify and to identify something, you need to know what it means. The same applies to consumers’ personal information.

The five key terms associated with the definition are “identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked”. Let us familiarise you with these terms. 

Information that identifies a consumer/household

The first word “identifies” signifies an obvious connection. For example, how a thumbprint can directly identify a person. 

Information that relates to a consumer/household

“Relates to” in the definition does not denote a direct connection but an indirect one. 

For example, your heartbeat rate or your average number of steps might not directly identify you. But when a fitness application records them and uses them to create personalised workout recommendations for you, it becomes personal information. In short, the purpose matters here rather than its content.

Information that describes a consumer/household

The California law also covers descriptive information that can reveal a person’s identity. This includes patterns of behaviour, habits or activities.

An online magazine collects information about your reading habits such as the genres you prefer, articles you engage with and reading time. This information can be used to create a profile of you which can then be used for advertising purposes.

Information that is reasonably capable of being associated with or could reasonably be linked to a consumer/household

The phrasing “reasonably capable of being associated with” or “could reasonably be linked to” in the definition indicates that even if the data wasn’t specifically collected to identify, relate to, or describe an individual, it is personal information if it ultimately connects to the individual.

Consider a food delivery company that tracks its delivery vehicles to improve its route planning. This data could also reveal the delivery driver’s work habits like their delivery times, speed rates, routes they take, etc. In that case, the data becomes personal information as it can be reasonably linked to the driver.

#2 Conduct data mapping

Consistently performing data mapping gives an understanding of the consumer data that your organisation has. Additionally, it is an essential process in nearly all data privacy laws, including the CCPA.

Data mapping generally involves recognising the different categories of sources, kinds of data, and monitoring the flow of data. It also helps businesses identify risk points where data might be vulnerable to breaches or misuse.

Focus on identifying areas such as customer data and behavioural information. You may also use automated tools for data mapping or data discovery processes. This saves time and is efficient. They can also help you identify unstructured data where personal information might be hidden.

#3 Classify and label data

After identifying the personal information, classify them into different categories based on factors such as sensitivity, risks, etc. This will help in managing and protecting individual consumer records.

#4 Understand third-party data sources

Third-party vendors or service providers often process personal information on your behalf. Therefore, it is important to assess their data practices and compliance with data protection standards. Keep this in mind while looking for a service provider or before engaging one.

#5 Review your data policies

Identifying personal information is crucial, as is reviewing data retention and storage policies. Conduct regular reviews to ensure that you do not possess any unwanted or incorrect information. This helps you identify the data that should be deleted or anonymised.

Consumer request mechanisms that allow consumers to delete or correct inaccurate personal information should also be a part of this process. 

Key CCPA requirements for protecting personal information

Businesses that come under the scope of CCPA must implement proactive strategies to safeguard personal information. Below is a rundown of the CCPA requirements for protecting personal data:

Data security 

Implement data security measures to protect the confidentiality and integrity of your consumers’ personal information.

Privacy notice

Create and publish a privacy notice, also known as a privacy policy that describes your data practices, categories of consumer data collected, data sources, data shared with third parties, categories of third parties with whom the data is shared, consumer rights, how to submit consumer requests, etc.

Opt-out rights

CCPA requires businesses to conspicuously provide a “Do not sell my personal information” link that allows them to opt out of the sale of their personal information. 

Similarly, businesses processing sensitive data must also provide a “Limit the use or disclosure of sensitive information” link conspicuously on their home page and web pages.

Cookie consent

Most of the websites use third-party cookies for purposes such as ad-targeting. This can fall under the broad definition of “sharing or selling of personal information” under the CCPA. That is why, websites should allow consumers to opt out of such cookies.

Cookie-based advertising percentages by industry in the United States during Q3 2023 (Statista)

Stay ahead of privacy regulations with CookieYes- the trusted solution for effortless cookie consent management. For years, CookieYes has helped businesses like yours manage cookie consent, ensuring that they are always in line with the evolving privacy regulations. Adoptable, reliable, and user-friendly, CookieYes guarantees your business meets CCPA cookie consent requirements while providing a smooth experience for your website visitors.

Cookie consent management is 10X simpler
with CookieYes

Customise a cookie banner for your website in few steps

14-day free trialCancel anytime

Handle consumer requests

The CCPA rights allow consumers to exercise control over their personal data, which must be honoured by businesses. Businesses can comply with the requirement by offering user-friendly options for submitting consumer requests and having effective mechanisms to fulfil the requests promptly.

Implementing data protection measures- Best practices

Businesses must implement strong data protection measures to lock down every weak spot and safeguard data. Here are some key strategies.

Data minimisation and purpose limitation

Limit the collection and use of personal information. Do not collect unnecessary data from your consumers. It is not only a risk to data protection but also a violation of CCPA.

Encryption

Encrypt personal information including sensitive personal information both in transit and at rest. This minimises the risk of unauthorised access or data breaches.

Employee training

Educate your employees about the data protection regulations and their role in protecting personal information. Conduct periodic sessions, and tests to make sure that they are privacy-vigilant.

Access controls

Similar to how data sharing outside should be regulated, it is also important to have such precautions within the organisation. By implementing role-based access controls and regular audits, you can ensure that only authorised persons can access personal data.

Security audits

Perform regular security audits and vulnerability tests including data protection impact assessments and risk assessments to discover potential threats to data privacy and identify risk mitigation measures.

Tools and technologies for CCPA compliance

Businesses need more than just legal knowledge to comply with comprehensive data privacy laws like CCPA. They need the right tools to streamline the data practices. By leveraging automation and cutting-edge technology, companies can not only comply with CCPA requirements but also build customer trust, brand reputation and brand loyalty.

Consent Management Platforms (CMPs)

Consent management software is a tool for collecting, storing, and managing cookie consent and is an essential component of the CCPA requirements checklist. 

If you are looking for a quick but effective solution for CCPA cookie consent management, the CookieYes CMP is the way to go. Our beginner-friendly onboarding flow, easy implementation, and effortless consent management ensure your business’s ongoing compliance in a timely and cost-effective style.

Privacy policy generators

Creating a detailed privacy policy from scratch can be excruciating and prone to mistakes or missing details. This is where privacy policy generators step in. The generator’s pre-built template allows you to create a privacy policy for your business simply by answering a few questions. CookieYes CMP offers free policy generators that are reliable, easy to use, and time-saving.

Craft a privacy policy that suits your business needs

CookieYes privacy policy generator is free, easy-to-use and time-effective

No sign-up required

Data discovery tools

Automated solutions like data discovery and mapping tools identify and categorise personal data. This helps your business manage data across various systems effectively and efficiently.

Privacy impact and risk assessment tools

These tools help you predict, identify, assess and resolve privacy threats. This way, you can make calculated decisions and find proactive solutions to prevent data breaches. 

DSAR automation tools

The CCPA’s pro-consumer stance requires companies to honour the preferences and rights of consumers.

While smaller businesses that receive relatively few consumer requests can handle these requests manually, larger enterprises that process a high volume of consumer requests may need to adopt an automated solution. This method enables you to affirm your dedication to honour consumer privacy rights.

FAQ on CCPA Personal information

What are the exemptions to the definition of personal information?

CCPA exempts information made available to the general public from federal, state or local government records or by the consumer himself through widely distributed media. It also exempts de-identified or aggregate consumer information if they are incapable of identifying a person. Some categories of personal information that are already covered by federal laws are also exempted from the CCPA’s definition of personal information.

What are the penalties for misengaging CCPA personal information?

The California Privacy Protection Agency (CPPA) and the California Attorney General can take legal actions for fines, injunctions, and other reliefs against businesses violating CCPA provisions. The fines range between $2500 to $7500 per incident. Additionally, the private right of action allows consumers to sue businesses directly for specific data breach incidents.

How can businesses differentiate between personal information and sensitive personal information under CCPA?

While all sensitive information falls under the umbrella of personal information, the CCPA defines sensitive data narrowly. Any type of personal data that can cause significant harm, risks or discrimination if compromised is treated as sensitive under the law. Examples include racial or ethnic origin, ancestry, sexual orientation, precise geolocation, religious or philosophical beliefs, citizenship, immigration status and genetic data.

Do businesses need consumer consent to collect personal information under CCPA?

The CCPA employs an opt-out model instead of the opt-in model used in GDPR. As a result, companies can collect consumer data without obtaining consent. Nevertheless, it is essential to offer methods for consumers to exercise their rights, including the ability to opt out of the sale of their personal information. For individuals under 16 years old, consent must be obtained before selling their data.

Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of 7 Steps to Enhance Compliance Management for Your Business

Privacy Laws

7 Steps to Enhance Compliance Management for Your Business

Have you thought about compliance as a growth driver? For most businesses, it is just …

Read more
Featured image of Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Consent

Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Onetrust and CookieYes to find the one that best suits your business's consent management needs.

Read more
Featured image of Iubenda vs Osano vs CookieYes: Which One Is The Best?

Iubenda vs Osano vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Iubenda, and CookieYes to find the one that best suits your business's consent management needs.

Read more

Show all articles