With all of the different types of data privacy laws that exist across the world, it can get confusing when trying to understand the different terms and definitions. In this guide, we’ll break down in simple terms the definition of Personal Information under the California Privacy Rights Act, or CPRA.
The General Data Protection Regulation (GDPR), which took effect in 2018, was designed to make sure that any business dealing with personal data acquired in the EU would have to take real measures to secure both that data and the privacy of the data subjects it concerns. Any entity that handled the personal data of data subjects who were inhabitants of the EU was subject to it, regardless of where it was headquartered.
Similar in scope, the California Privacy Rights Act (a.k.a. CPRA) pertains to "for-profit" organizations that interact with the private information of California citizens that satisfies one of three requirements. A company must meet the following three requirements to be subject to the CPRA's authority:
The California Privacy Rights Act of 2020 is set to go into effect in the spring of 2023. The California Consumer Privacy Act (CPRA) increases the definition of "Personal Information" among its many other additions and modifications from the CCPA (California Consumer Protection Act).
Specifically, the category of Sensitive Personal Information is added. This new category adopts the definition of Special Category Data from the EU General Data Protection Regulation, adds data components that are frequently considered sensitive in the U.S., and adds a fresh twist by incorporating the contents of a customer's mail, email, and text messages.
According to the CPRA, "sensitive personal information" is widely defined as "personal information that is not generally available" and discloses:
Businesses now have two main duties as a result of the introduction of this new category of personal information.