The California Consumer Privacy Act (CCPA) defines personal data as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This definition of personal data is broad and encompasses a wide range of information, from obvious identifiers like a person’s name, address, and phone number, to less obvious data like IP addresses, browsing history, and cookie data.
The CCPA provides California consumers with greater control over their personal data and gives them the right to know what personal data businesses collect about them, the right to request that their personal data be deleted, and the right to opt-out of the sale of their personal data.
What kind of data is considered Personal Information in CCPA?
Under the CCPA, personal data is defined very broadly and includes a wide range of information, including:
- Real name
- Postal address
- Email address
- Phone number
- Social Security number
- Driver’s license number
2. Characteristics of protected classifications under California or federal law
- National origin
- Physical or mental disability
- Medical condition
- Sexual orientation
- Age (40 years or older)
3. Commercial information
- Records of personal property, products or services purchased, obtained, or considered
- Other purchasing or consuming histories or tendencies
4. Biometric information
- Facial recognition data
- Retinal scans
5. Internet or other similar network activity
- Browsing history
- Search history
- Information on a consumer’s interaction with a website, application, or advertisement
- IP address
- Device ID
6. Geolocation data
- Physical location data
- GPS data
7. Professional or employment-related information
- Current or past job history
- Education information
8. Inferences drawn from any of the above
- Personality profile
What are the implications of CCPA for handling of personal information?
The CCPA has significant implications for businesses that collect, process, and store the personal data of California consumers. Businesses must comply with the CCPA’s requirements for the handling and protection of personal data, including:
- Providing notice to California consumers about the types of personal information the business collects and how it will be used
- Allowing California consumers to request access to their personal data and request that it be deleted
- Providing California consumers with the right to opt-out of the sale of their personal information
- Implementing reasonable security measures to protect personal data
- Providing additional protections for minors under the age of 16
What are the consequences of non-compliance with CCPA?
The CCPA provides for civil penalties of up to $7,500 per violation for intentional violations and $2,500 per violation for unintentional violations. In addition, the CCPA gives California consumers the right to sue businesses for data breaches that result in unauthorized access to or theft of their personal data.