All-in-one Risk Management Platform

What is Personal Information Under the CPRA?

What exactly qualifies as personal information under the California Privacy Rights Act?
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

What is Personal Information Under the CPRA?

With all of the different types of data privacy laws that exist across the world, it can get confusing when trying to understand the different terms and definitions. In this guide, we’ll break down in simple terms the definition of Personal Information under the California Privacy Rights Act, or CPRA.

What is the CPRA?

The General Data Protection Regulation (GDPR), which took effect in 2018, was designed to make sure that any business dealing with personal data acquired in the EU would have to take real measures to secure both that data and the privacy of the data subjects it concerns. Any entity that handled the personal data of data subjects who were inhabitants of the EU was subject to it, regardless of where it was headquartered.

Similar in scope, the California Privacy Rights Act (a.k.a. CPRA) pertains to "for-profit" organizations that interact with the private information of California citizens that satisfies one of three requirements. A company must meet the following three requirements to be subject to the CPRA's authority:

  1. The CPRA will apply to companies that exchange the personal information of at least 100,000 customers or families. The CCPA's previous 50,000 consumer threshold has been updated, making it a more accommodating piece of law for small- to medium-sized businesses. 
  2. The California Privacy Rights Act requirements will also apply to a company that has $25 million in gross sales by January 1 of the previous year. 
  3. The CPRA also has authority over companies that derive 50% or more of their total income from sharing or selling user-collected personal information.
“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

What is Considered Personal Information Under the CPRA?

The California Privacy Rights Act of 2020 is set to go into effect in the spring of 2023. The California Consumer Privacy Act (CPRA) increases the definition of "Personal Information" among its many other additions and modifications from the CCPA (California Consumer Protection Act). 

Specifically, the category of Sensitive Personal Information is added. This new category adopts the definition of Special Category Data from the EU General Data Protection Regulation, adds data components that are frequently considered sensitive in the U.S., and adds a fresh twist by incorporating the contents of a customer's mail, email, and text messages.

According to the CPRA, "sensitive personal information" is widely defined as "personal information that is not generally available" and discloses:

  • A customer's passport, state ID, driver's license, or social security number.
  • The username, password, or other credentials needed to access an account for a customer, along with their financial information, debit card, or credit card number.
  • The specific geolocation of a customer.
  • The racial or cultural background, religious or philosophical convictions, or union membership of a customer.
  • The information included in a customer's mail, emails, and text messages, unless the company is the intended receiver.
  • The genetic information of a customer.
  • Processing biometric data with the aim of uniquely identifying a customer
  • Health-related personal information about a customer.
  • Personal information on a customer's sexual preferences or activity.

Businesses now have two main duties as a result of the introduction of this new category of personal information. 

  • A company must disclose sensitive personal information to consumers, including job seekers and workers, in its notice at the time of collection, as well as in any online privacy policies or California-specific descriptions of consumer rights. In accordance with the CPRA, this notice must now additionally state which categories of sensitive personal information will be gathered, why they will be used, if they will be shared or sold, and how long the business plans to keep each category of sensitive personal information.
  • A company may only gather or use sensitive personal data for the restricted objectives specified by the CPRA and in accordance with future implementation rules if it is necessary to deliver the services or products that the customer has requested. The customer must be informed of the planned use or disclosure as well as their ability to limit it if the business plans to use or disclose this information for any other reason. A company has to give the customer an opt-out option so they may exercise their right easily. This right to restrict use or disclosure does not apply to sensitive personal information that is not gathered or processed with the intention of inferring a consumer's characteristics.

Like what you see?  Learn more below

What exactly qualifies as personal information under the California Privacy Rights Act?
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)