What Is Personal Information Under the CPRA? Examples, Best Practices, and Compliance Tips

Definition of Personal Information under CPRA

What the CPRA considers personal information

The California Privacy Rights Act (CPRA) defines personal information as data that identifies, relates to, describes, or could reasonably be linked—directly or indirectly—to a particular consumer or household. This broad definition covers customer, website visitor, employee, contractor, and B2B contact data.

Common examples by category

• Identifiers: name, alias, postal address, unique personal identifier, online ID, IP address, email, and device IDs.
• Customer records: account numbers, phone numbers, signatures, and billing details.
• Commercial data: purchase history, service interactions, and product preferences.
• Internet/tech activity: browsing history, app usage, log data, cookies, and cross-device signals.
• Geolocation: general location and, when precise, it may become sensitive personal information.
• Audio/visual: call recordings, CCTV footage, voice mails, and photos associated with an individual.
• Professional/education: job titles, employer, license numbers, and training records.
• Inferences: profiles reflecting interests, behavior, or predicted preferences.

What is not personal information

Publicly available information, de-identified data, and aggregated data are generally excluded when handled in ways that prevent re-identification. Pseudonymous data can still be personal information if it is reasonably linkable back to a person.

Sensitive Personal Information under CPRA

Definition and scope

Sensitive personal information includes Social Security and driver’s license numbers; financial account credentials; precise geolocation; racial or ethnic origin; union membership; religious beliefs; genetic and biometric data; health information; and the contents of mail, email, or messages when not intended for the business.

Examples and heightened handling

• Financial credentials: bank logins, card numbers plus security codes.
• Precise geolocation: GPS coordinates or location within a small radius.
• Biometrics: fingerprints, facial templates, and voiceprints used for identification.
• Communications content: stored message content scraped from user inboxes.

Consumers may direct you to limit the use and disclosure of sensitive personal information to what is necessary for core services. Your processes should clearly honor this limit request and document how the data is restricted.

Data Minimization Principle

Purpose limitation and proportionality

The CPRA’s data minimization principle requires you to collect, use, retain, and share only the data that is reasonably necessary and proportionate to the purposes disclosed at or before collection. If a new purpose is incompatible, obtain consent before proceeding.

How to operationalize minimization

• Perform data flow mapping to identify sources, systems, and disclosures for each data category.
• Link every field to a documented purpose and legal basis; remove fields with weak or no purpose.
• Set retention limits by category and enforce deletion using automated jobs and backup hygiene.
• Review forms and SDKs quarterly to eliminate optional collection and reduce tracking scopes.

Examples in practice

• Collect ZIP code for shipping estimates, not precise geolocation, until checkout requires it.
• Hash or tokenize identifiers used for analytics to minimize exposure.
• Keep support tickets for a set period tied to warranty or regulatory needs, then purge.

Consumer Rights under CPRA

Core consumer data rights

• Right to know/access: the categories and specific pieces of personal information collected, sources, purposes, and disclosures.
• Right to delete: removal of personal information subject to specified exceptions.
• Right to correct: rectification of inaccurate personal information.
• Right to opt out of sale or sharing: including cross-context behavioral advertising.
• Right to limit sensitive personal information use/disclosure.
• Data portability and non-discrimination for exercising rights.

How to honor requests

• Offer at least two submission methods (e.g., web form and toll-free number) suitable for your audience.
• Verify identity using risk-based steps; avoid collecting more sensitive personal information than necessary.
• Respond within statutory timelines, documenting extensions and reasons when applicable.
• Recognize and honor opt-out preference signals (such as browser-based mechanisms) where required.

Compliance Best Practices

Program governance

Assign a privacy lead, define RACI across legal, security, product, marketing, and HR, and maintain an audit-ready record of processing activities mapped to CPRA obligations.

Data flow mapping and inventories

Build a live inventory of systems, vendors, and data elements. Use data flow mapping to trace collection points, internal uses, and disclosures so you can prove data minimization principle alignment and respond to requests efficiently.

Third-party contracts

• Use written agreements that limit use to specified purposes, require privacy policy compliance, and mandate appropriate security procedures.
• Flow down obligations to subprocessors, prohibit combining data across clients except as allowed, and require prompt notice of non-compliance.
• Enable audits or assessments, mandate deletion/return at termination, and document instructions for handling sensitive personal information.

Training and accountability

Train employees who handle personal information and consumer requests. Track completion, test comprehension, and tie metrics to performance goals for sustained compliance.

Security Measures for Personal Information

Risk-based security procedures

Adopt layered controls proportionate to data sensitivity and business risk. Emphasize least privilege access, multi-factor authentication, encryption in transit and at rest, and hardened configurations.

Operational safeguards

• Endpoint and cloud posture management, vulnerability scanning, and timely patching.
• Network segmentation, secret rotation, key management, and secure software development practices.
• Audit logging, anomaly detection, and periodic access reviews for high-risk systems.

Data lifecycle protections

• Retention schedules tied to purpose; deletion workflows for production, analytics, and backups.
• Pseudonymization and tokenization to reduce exposure without losing utility.
• Vendor security due diligence, ongoing monitoring, and contractual breach obligations.

Incident readiness

Maintain an incident response plan with roles, playbooks, and communication templates. Rehearse with tabletop exercises and track lessons learned to strengthen defenses.

Privacy Policy Requirements

What your policy must cover

• Categories of personal information and sensitive personal information collected and the purposes for each.
• Whether you sell or share personal information and how consumers can opt out.
• How consumers can exercise consumer data rights, including correction, deletion, and limiting sensitive personal information.
• Categories of sources, recipients/third parties, and high-level retention periods or criteria per category.
• Contact methods, verification approach, and how you will notify consumers of material changes.

Notices and user experience

• Provide a clear notice at collection that matches your data practices.
• Offer prominent “Do Not Sell or Share” and “Limit the Use of My Sensitive Personal Information” options where applicable.
• Use plain language, accessible formats, and languages appropriate for your audience.

Maintaining privacy policy compliance

Review product launches, marketing tags, and third-party contracts against the policy before deployment. Version and date your policy, keep an archive, and align disclosures with ongoing data flow mapping.

Conclusion

The CPRA casts a wide net over personal information and creates extra protections for sensitive personal information. If you anchor your program in the data minimization principle, engineer strong security measures, manage third-party contracts carefully, and keep your notices accurate, you will be well-positioned for durable compliance.

FAQs.

What types of personal information are protected under the CPRA?

The CPRA protects data that can identify or be reasonably linked to a consumer or household. Examples include identifiers (name, email, IP), commercial history, online activity, geolocation, audio/visual records, professional and education data, and inferences. De-identified, aggregated, and truly publicly available information are generally outside scope.

How should businesses handle sensitive personal information?

Treat sensitive personal information with heightened care: limit collection to the stated purpose, restrict internal access, encrypt and segregate it, and honor consumer requests to limit use and disclosure. Avoid using it for cross-context advertising or profiling unless it is necessary and permitted, and document your controls.

What are consumers' rights regarding their personal data under the CPRA?

Consumers can know/access, delete, correct, and receive their data in a portable format. They can opt out of the sale or sharing of personal information and limit the use/disclosure of sensitive personal information. They are protected from discrimination for exercising these rights, and businesses must respond within required timelines.

What best practices ensure CPRA compliance?

Build a governance program anchored in data flow mapping and the data minimization principle. Keep accurate inventories, enforce retention and deletion, implement robust security procedures, and use strong third-party contracts. Update and test processes for consumer requests, and keep your privacy policy compliance in lockstep with how you actually handle data.