The California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), defines “Personal Information” (PI) as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This can include, but is not limited to:
- Identifiers: Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Personal Information categories listed in the California Customer Records statute: Name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
- Characteristics of protected classifications under California or federal law.
- Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information: Information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA).
- Inferences drawn from other personal information: Profile reflecting a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The CPRA also introduces a new category called “sensitive personal information” which includes details such as Social Security number, driver’s license, state ID card, or passport number; account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s mail, email, and text messages unless the business is the intended recipient; genetic data; biometric information for the purpose of uniquely identifying a consumer; health information; and information concerning a consumer’s sex life or sexual orientation.