What Is Personal Information Under the CPRA? A Beginner’s Guide

Definition of Personal Information

The California Privacy Rights Act (CPRA) defines personal information broadly. It is any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked—directly or indirectly—with a particular consumer or household. In practice, that means details about you, your devices, or your household fall within scope.

Under the CPRA, “consumer” means a California resident. Personal information is not limited to obvious identifiers like a name; it also includes unique IDs, persistent online identifiers, and profiles built from your interactions. This expansive definition underpins key Consumer Privacy Rights and shapes CPRA Compliance Requirements for businesses.

Examples of Personal Information

Below are common categories the CPRA treats as personal information. Not every example will apply in every context, but each can be reasonably linked to you or your household.

• Identifiers: real name, alias, postal address, unique personal identifier, online identifier, IP address, email, account name, or government ID numbers (where not otherwise excluded).
• Customer records and characteristics: phone number, signature, physical traits, protected-class characteristics, or date of birth.
• Commercial information: products or services purchased, obtained, or considered; transaction histories and tendencies.
• Internet or network activity: browsing history, search history, app usage, and interactions with websites, applications, or advertisements.
• Geolocation data: location information derived from devices or services.
• Audio, visual, thermal, or similar information: call recordings, CCTV footage, or voice samples.
• Professional or employment-related information and education information (non-public).
• Inferences: profiles reflecting preferences, behavior, abilities, or predispositions drawn from other data.

Sensitive Personal Information

Sensitive personal information is a special subset that triggers additional rights and Information Disclosure Limitations. It includes data that could cause significant harm or intrusion if misused—often referred to as Sensitive Personal Data.

• Government identifiers: Social Security, driver’s license, state ID, or passport numbers.
• Financial data: account and card numbers with credentials, logins, or security codes.
• Precise geolocation, racial or ethnic origin, religious or philosophical beliefs, and union membership.
• Contents of mail, email, and text messages when the business is not the intended recipient.
• Genetic and Biometric Data Privacy elements used to uniquely identify a person (for example, fingerprints, faceprints, or voiceprints).
• Health-related data and information concerning a person’s sex life or sexual orientation, where not otherwise exempt.

Consumers have a specific right to limit the use and disclosure of sensitive personal information to what is necessary to provide requested goods or services. Businesses must honor limitation requests and ensure contractors and service providers do the same.

Exclusions from Personal Information

Some data is outside the CPRA’s scope or receives tailored treatment. Understanding these boundaries helps clarify what the law does—and does not—cover.

• Publicly Available Information Exemption: information lawfully made available from government records, and certain information a business reasonably believes a consumer has made available to the general public or that appears in widely distributed media.
• Deidentified and aggregated information: data processed to remove reasonable linkability to a person or household, and statistics that do not relate to an identifiable individual.
• Sectoral exemptions: specific obligations do not apply to data already governed by laws such as HIPAA/CMIA (for medical and health records), GLBA (for certain financial data), or FCRA (for certain credit-reporting uses), among others.
• Note on workplace and B2B data: employee/applicant and business-to-business contact data are generally in scope under the CPRA, though some targeted exemptions and obligations may differ by context.

Rights Granted to Consumers

The CPRA strengthens Consumer Privacy Rights and ensures you can control how businesses handle your data. At a high level, you can expect the following rights, subject to defined exceptions and verification requirements:

• Right to know and access: request categories and specific pieces of personal information collected, sources, purposes, and categories of recipients.
• Right to delete: ask a business (and its service providers/contractors) to delete personal information, with limited exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale or sharing: stop the sale or sharing of personal information, including for cross-context behavioral advertising.
• Right to limit sensitive personal information: restrict use and disclosure of sensitive personal information to necessary functions.
• Right to data portability: receive your information in a portable, usable format.
• Right to non-discrimination: receive equal service and price even when exercising privacy rights.

To meet these rights, businesses must implement clear notices, robust verification procedures, and practical Information Disclosure Limitations across their ecosystems.

Applicability of CPRA

The CPRA applies to for-profit entities that do business in California, determine the purposes and means of processing, and meet at least one Data Collection Threshold or revenue criterion. Nonprofits generally are not “businesses” under the statute, though they may act as service providers or contractors.

• Annual gross revenues over $25 million (in the preceding calendar year).
• Buying, selling, or sharing the personal information of 100,000 or more consumers or households.
• Deriving 50% or more of annual revenues from selling or sharing consumers’ personal information.

Obligations also flow to service providers, contractors, and third parties via mandatory contracts. Core CPRA Compliance Requirements include purpose limitation and data minimization, honoring opt-out and limitation requests, maintaining a data retention schedule, providing notice at collection, using appropriate security safeguards, and ensuring downstream recipients handle data only for permitted purposes.

In short, personal information under the CPRA covers a wide range of data about California residents, with extra protections for sensitive categories. If your organization meets the thresholds or revenue tests and touches California data, you must build programs that respect consumer choices and limit data use to what is necessary and proportional.

FAQs

What types of personal information are protected under the CPRA?

The CPRA protects information that can identify, relate to, or be reasonably linked to a California resident or household. This includes identifiers (like names, emails, IP addresses), commercial records, online activity, geolocation, audio/visual data, professional and education records, and inferences drawn from those categories.

How does the CPRA define sensitive personal information?

Sensitive personal information covers high-risk data such as government IDs; financial accounts with credentials; precise geolocation; racial or ethnic origin; religious beliefs; union membership; contents of messages where the business is not the intended recipient; genetic and biometric identifiers; and certain health or sexual-life information. Consumers can require businesses to limit the use and disclosure of this data.

What rights do consumers have regarding their personal information under the CPRA?

Consumers can access, know, and receive their data; delete it; correct inaccuracies; opt out of the sale or sharing of personal information; limit the use of sensitive personal information; obtain portable copies; and be free from discrimination for exercising these rights.

Who is subject to the CPRA regulations?

For-profit businesses that do business in California and either exceed $25 million in annual gross revenue, buy/sell/share personal information of 100,000 or more consumers or households, or derive 50% or more of annual revenue from selling or sharing personal information are subject to the CPRA. Service providers, contractors, and third parties are bound through required contractual terms.