All Blog Posts

CCPA for Personal Information

The California Consumer Privacy Act (CCPA) may affect how your website is allowed to handle the personal information of Californians.

Updated November 30, 2020.

CCPA’s definition of personal information is a groundbreaking legal advance in the US, as California becomes the first state in the nation to endow its residents with enforceable rights and ownership over their own data.

In this blogpost, we dive into the specifics of the CCPA’s personal information provision.

What’s the exact definition? What are some concrete examples of CCPA’s personal information? And what does the CCPA say about the use of personal information on websites?

Find the answers and become compliant with Cookiebot consent management platform (CMP).

CCPA personal information definition

In the CCPA, personal information is defined as:

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

According to the CCPA, person information is a broad category of all kinds of data ranging from the most straight-forward and intuitive personal data to things that might not at first sight seem like personal data at all.

A list of what is defined under the CCPA as personal information includes:

  • Direct identifiers such as real name, alias, postal address, social security numbers, driver’s license, passport information and signature.
  • Indirect identifiers such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names…
  • Biometric data such as face, retina, fingerprints, DNA, voice recordings, health data…
  • Geolocation data such as location history via devices,
  • Internet activity such as browsing history, search history, data on interaction with a webpage, application or advertisement.
  • Sensitive information such as personal characteristics, behavior, religious or political convictions, sexual preferences, employment and education data, financial and medical information.

In the CCPA, personal information has no format or medium limitation, which means that even pictures or sounds can qualify as personal information, if they fall under the definition in the law.

However, the definition in CCPA of personal information does not include de-identified/anonymized information, as well as aggregate information (i.e. information about multiple users that does not contain personally identifiable information) – with the exception of household data, which we’ll look at in a minute.

Enforcement of the CCPA has begun!

On August 14, 2020, the final CCPA regulations took effect and enforcement began.

If you haven’t made sure your website is compliant with the CCPA, now is to time to take action.

Learn more about the final CCPA regulations

The California Privacy Rights Act (CPRA) has been passed into law

The new California Privacy Rights Act (CPRA) was passed into law in the General Election on November 3, 2020.

The California Privacy Rights Act (CPRA) amends and expands the existing data privacy regime under the CCPA – giving new rights to California residents, strengthening business requirements and creating a whole new government agency responsible for enforcement.

The California Privacy Rights Act (CPRA) will take effect on January 1, 2023, with a look-back period to January, 2022, and will enter into full enforcement on July 1, 2023.

Learn more about the California Privacy Rights Act (CPRA)

Aerial view of a person paddling on a surfboard - Cookiebot
CCPA’s personal information definition includes anything that can reasonably lead to the identification of an individual.

CCPA personal information examples

Using data (that is in itself not personal data) to draw inferences for the purpose of creating profiles on consumers, consisting of consumer behavior, convictions, preferences, intelligence, abilities and characteristics can be considered by CCPA as personal information.

This expansive definition in the CCPA of PII is a crucial leap for US data privacy, because it directly relates to the billion-dollar ad tech industry of behavioral advertisement based on persona data collection that studies show Americans are worried about and want regulated.

It means that using e.g. cookies, web beacons and social media plugins on your website can be a liability under the CCPA, if you or third parties either directly collect personal information through such means, or if you or third parties collect data that can be used to create identifiable profiles for the purpose of personalized advertisement.

What does the CCPA say about cookies?

In other words, if data has the potential to ultimately result in the identification of an individual, it can be deemed personal information under the CCPA, since the law defines personal information as reasonably capable of being linked to an individual or a household.

Person on a Pier With a City Skyline in the Background - Cookiebot
CCPA’s personal information definition is as broad as the European GDPR’s.

In more words, CCPA’s personal information definition includes not only data that identifies, but data that makes the identification possible.

This includes website cookies, browser history and website analytics, such as monitoring user behavior on a domain (how long their mouse hovers on what, scroll speed, clicks and more), since these could, through combination and inference, lead to the identification of an individual.

CCPA household data definition

In the CCPA, personal information also covers a subgroup of data called household information.

Household information has been discussed vigorously since the CCPA passed into law and criticized for its ambivalent nature.

The CCPA’s personal information definition does not further specify what household data means or how it should be enforced.

However, the final CCPA regulations define household as:

”a person or group of people who reside at the same address, share a common device or the same service provided by a business and are identified by the business as sharing the same group account or unique identifier.”

Learn more about the final CCPA regulations and enforcement

Try a free website scan with Cookiebot CMP today to find all cookies and trackers on your domain that collect and process personal information of your end-users.

Cookiebot CMP, CCPA and personal information

If your business has a website, it is almost certain that you one way or another collect what is defined in the CCPA as personal information.

Learn more about CCPA compliance

Given the broad definition in the CCPA of personal information, first and third party cookies can be deemed indirect identifiers, reasonably capable of identifying an individual through the collection of personal information such as browser history, cross-site tracking, IP addresses, other behavioral data that trackers and plugins on your website collect on your end-users.

Person standing next to a road overlooking a city skyline - Cookiebot
Our solution ensures full transparency and CCPA compliance for businesses and their websites.

An important part of being compliant with the CCPA is for a business to know the exact make-up of its website – what cookies and trackers are hiding behind its surface and what third parties are in operation collecting personal information (for which the business is liable).

With the CCPA, personal data is no longer a commodity that businesses can trade and sell without any thought for the consumer. In California, personal information is becoming owned by the end-users themselves.

CCPA compliance with Cookiebot CMP

Our solution works to protect privacy and human autonomy on our digital infrastructures, and we are thrilled to see strong data privacy laws emerging around the world – from Europe to the US.

Our CMP is a compliance solution for CCPA and GDPR – depending on what configuration you and your business needs and where in the world your end-users are located.

Cookiebot scans your website, uncovers all cookies and trackers in place and blocks them all from collecting personal information, until your end-users have given their consent to which trackers, they will allow activated, as is the strong privacy requirements of the European GDPR.

We also support the CCPA requirement of having a Do Not Sell My Personal Information link on a business’ website.

Cookiebot CCPA compliant cookie declaration screenshot - Cookiebot
Cookiebot CMP enables CCPA compliance.

Try Cookiebot CMP for free today if your business and its websites have visitors from the EU or from California, whose personal information you collect through cookies, trackers and social media plugins on your domains.

This way, you can ensure transparency and the protection of privacy for your end-users, as well as become CCPA compliant.

FAQ

What is personal information under the CCPA?

Personal information is defined as any information that relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes names, addresses, social security numbers, driver’s license, location data, sensitive information about personal characteristics, religious or political convictions, sexual orientation, as well as internet activity such as browsing history, search history, IP addresses and more.

Learn more about CCPA compliance

Are cookies defined as personal information under the CCPA?

Yes. Under the CCPA, cookies are classified as unique or persistent identifiers because of their ability to collect and process information that can be used to identify or reidentify a California resident. Most third-party cookies on websites will assign Unique IDs to a user’s browser that can be used to track the user across the Internet and across devices.

Learn more about CCPA and cookies

Which organizations must comply with the CCPA?

Companies and for-profit organizations that meet any of the following thresholds are defined as a business under the CCPA and must comply with the law, no matter where in the world they are located: have an annual gross revenue of more than $25 million, derive 50% or more of its annual revenues from selling consumers’ personal information or buy, receive, sell or share the personal information of 50,000 or more California residents per year.

Learn more about CCPA and website privacy policies

How can I control cookies on my website?

Cookies are notoriously difficult to manage, since a large part are secretly loaded by other third-party cookies, and a majority of these will have changed on repeated visits. Using a consent management platform (CMP) that can scan and detect all cookies and trackers, then automatically control them until your users give their choice of consent or opt out can help make your website compliant with the CCPA.

Scan your website with Cookiebot CMP for free

Resources

What is the CCPA?

How does a business become CCPA compliant?

What are the differences between the CCPA and EU’s GDPR?

What is the European GDPR?

What are the core functions of Cookiebot CMP?

How can I sign up for a free trial of Cookiebot CMP?

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.