What Counts as Personal Information Under the CPRA? Real-World Scenarios and Examples

Personal Information Definition and Scope

The California Privacy Rights Act (CPRA) treats personal information as any data that identifies, relates to, describes, or is reasonably linkable—directly or indirectly—to a particular consumer or household. This includes obvious identifiers, device and browser data, and records that can be combined through data linkage to point back to you.

“Reasonably linkable” is practical: if a business can tie data to you or your household with typical tools and methods, it likely counts. Aggregated or properly de‑identified data falls outside the scope, but only when safeguards prevent re‑identification. Public records exclusions also apply to information lawfully available from government records or widely distributed public sources.

The CPRA strengthens consumer privacy rights, giving you the ability to know, access, correct, delete, and opt out of the sale or sharing of personal information used for cross‑context behavioral advertising. It also adds sensitive personal information controls and requires businesses to follow data minimization principles—collecting, using, and retaining only what is necessary and proportionate for disclosed purposes.

Common Identifiers as Personal Information

Common identifiers are the everyday data points companies use to recognize you. When they can be linked back to you or your household, they are personal information under the CPRA.

Direct identifiers

• Name, postal address, email address, phone number
• Government IDs (e.g., driver’s license, passport) and account credentials
• Customer account numbers, loyalty IDs, and device‑registered names

Online and persistent identifiers

• IP address, cookie IDs, mobile advertising IDs, device fingerprints
• Login handles, screen names, and unique personal identifiers used across sites or apps
• Telemetry like browser type, plug‑ins, or time zone when used for recognition

Even seemingly generic data can be personal information when combined—through data linkage—with other elements to single out you or your household.

Biometric Information Use Cases

Biometric information covers physiological, biological, or behavioral traits used to identify you. Under the CPRA, many biometrics are also sensitive personal information, triggering stricter controls.

• Workforce access: fingerprint or palm‑vein scans to clock in, with templates stored for matching.
• Consumer devices: facial recognition to unlock a phone; voiceprints to authenticate in a banking app.
• Security and fraud: keystroke dynamics or gait analysis used to detect account takeover.
• Proctoring and exam integrity: face and gaze tracking to confirm presence and prevent cheating.

If a system stores raw images or derived templates that enable unique identification, it is personal information. You should see clear notices, limited retention, and options to restrict use consistent with data minimization principles.

Geolocation Data Examples

Location data becomes personal information when it can be tied to you or your household. The CPRA treats precise geolocation—typically location within a 1,850‑foot radius—as especially sensitive.

• Retail analytics: beacon pings show you entered a store at 3:12 p.m. and visited the shoe aisle.
• Delivery and rideshare logs: trip start and end points linked to your account history.
• Smart devices: a connected doorbell creates a time‑stamped map of household comings and goings.
• Geofenced ads: mobile IDs targeted because you visited a stadium or medical clinic.

Coarse location (e.g., city or ZIP code) may still be personal information when linkable to you or your household; precise geolocation is generally treated as sensitive personal information.

Inferences and Behavioral Profiles

The CPRA explicitly covers inferences—conclusions drawn from your data to create a profile about preferences, characteristics, or behavior. These inferences power personalization but also raise behavioral profiling concerns.

• Commerce: purchase history used to infer “new parent,” “home renovator,” or “frequent traveler.”
• Media: viewing patterns inferring political interests or health‑related topics.
• Risk: device, location, and timing signals predicting fraud likelihood.
• Lifestyle: gym check‑ins and meal‑delivery orders inferring fitness or dietary habits.

Because inferences are personal information, you can access, delete where applicable, and opt out of the sale or sharing of personal information when they are used for cross‑context behavioral advertising. Businesses should apply data minimization principles and avoid retaining inferences longer than needed.

Household Data Contexts

Personal information under the CPRA includes household‑level data—information that relates to people sharing a residence, even if it does not identify an individual by name.

• Shared devices: smart speakers, TVs, and thermostats generating logs tied to a home account.
• Network signals: a router’s IP address associated with all household browsing activity.
• Utilities and services: water, energy, or security system usage patterns for the dwelling.
• Connected cars and appliances: trip histories or appliance diagnostics tied to the household garage or kitchen, not a single person.

When you make requests, businesses may need to verify household membership and may limit disclosures to protect the privacy of all members. Household‑level data is covered unless it is truly aggregated or de‑identified.

Sensitive Personal Information Considerations

Sensitive personal information (SPI) requires extra care and gives you added controls. SPI commonly includes Social Security, driver’s license, or passport numbers; financial account and card numbers with access codes; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; genetic data; biometric identifiers used for unique ID; health information; sex life or sexual orientation; and the contents of your mail, email, and texts when the business is not the intended recipient.

Practical guardrails for SPI

• Limit use and disclosure: allow only what is necessary to provide requested goods or services.
• Offer the right to limit: give you a clear path to restrict additional processing of SPI.
• Strengthen purpose and retention limits: collect narrowly, keep briefly, and delete reliably.
• Reduce sharing: avoid using SPI for behavioral profiling or cross‑context behavioral advertising.
• Harden security: apply stronger access controls, encryption, and auditable handling.

Bottom line: if data can reasonably identify you or your household—or be linked through data linkage to do so—it likely counts as personal information under the CPRA. Treat precise location and biometrics as sensitive, respect consumer privacy rights, honor public records exclusions, and embed data minimization principles across the lifecycle.

FAQs.

What types of data are considered personal information under the CPRA?

Any data that identifies, relates to, describes, or is reasonably linkable to you or your household is covered. That ranges from names, emails, IP addresses, and cookie IDs to transaction records, geolocation, biometrics, and inferences used for profiling. Aggregated or de‑identified data that cannot reasonably be re‑linked falls outside the definition.

How does the CPRA define sensitive personal information?

Sensitive personal information includes categories such as government IDs, financial account and card numbers with required access credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric identifiers used for unique identification, health data, sex life or sexual orientation, and the contents of mail, email, and texts when the business is not the intended recipient. You have the right to limit how businesses use and disclose SPI.

Are household-level data covered by the CPRA?

Yes. Personal information encompasses data related to a household, not just an individual. Examples include smart‑home logs, utility usage tied to an address, or a home IP address. Businesses must balance access rights with verification to protect all household members and may restrict disclosures where necessary.

What information is excluded from personal information under the CPRA?

Public records exclusions apply to information lawfully made available from government records or widely distributed public sources. Truly de‑identified and aggregate data are also excluded, provided re‑identification is not reasonably possible. Data outside a business’s ability to reasonably link to you or your household is generally not treated as personal information.