{"id":1090,"date":"2022-04-28T13:37:00","date_gmt":"2022-04-28T13:37:00","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=1090"},"modified":"2026-03-12T09:15:50","modified_gmt":"2026-03-12T08:15:50","slug":"ccpa-personal-information-ccpa-compliance-with-cookiebot-cmp","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/en\/ccpa-personal-information-ccpa-compliance-with-cookiebot-cmp\/","title":{"rendered":"CCPA for Personal Information"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-ccpa-pii-definition\">CCPA PII definition<\/h2>\n\n\n\n<p>In the <a href=\"https:\/\/www.cookiebot.com\/en\/ccpa\/\">California Consumer Privacy Act (CCPA)<\/a>, personal information is defined as:<\/p>\n\n\n\n<p><em>\u201c<em>Information<\/em> that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.\u201d<\/em><\/p>\n\n\n\n<p>According to the CCPA, <strong>person information is a broad category<\/strong>\u00a0of all kinds of data ranging from the most straight-forward and intuitive personal data to things that might not at first sight seem like personal data at all.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ccpa-categories-of-personal-information\">CCPA categories of personal information<\/h2>\n\n\n\n<p>A list of what is defined under the CCPA as personal information includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Direct identifiers<\/em>\u00a0such as real name, alias, postal address, email address, social\u00a0security numbers, driver's license, passport information and signature.<\/li>\n\n\n\n<li><em>Indirect identifiers&nbsp;<\/em>such as cookies, beacons, pixel tags, telephone numbers, IP addresses, account names\u2026<\/li>\n\n\n\n<li><em>Biometric data&nbsp;<\/em>such as face, retina, fingerprints, DNA, voice recordings, health data\u2026<\/li>\n\n\n\n<li><em>Geolocation data&nbsp;<\/em>such as location history via devices,<\/li>\n\n\n\n<li><em>Internet activity&nbsp;<\/em>such as browsing history, search history, data on interaction with a webpage, application or advertisement.<\/li>\n\n\n\n<li><em>Sensitive information<\/em>&nbsp;such as personal characteristics, behavior, religious or political convictions, sexual preferences,&nbsp;employment and education data, financial and medical information.<\/li>\n<\/ul>\n\n\n\n<p>In the <a href=\"\/en\/ccpa\/\">CCPA<\/a>, personal information has <strong>no format or medium limitation<\/strong>, which means that even <strong>pictures<\/strong>&nbsp;or <strong>sounds<\/strong>&nbsp;can qualify as personal information, if they fall under the definition in the law.<\/p>\n\n\n\n<p>However, the definition in CCPA of personal information <strong>does not include de-identified\/anonymized information<\/strong>, as well as <strong>aggregate information<\/strong>\u00a0(i.e. information about multiple users that does not contain personally identifiable information) \u2013 with the exception of household data, which we\u2019ll look at in a minute.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ccpa-personal-data\">CCPA personal data<\/h2>\n\n\n\n<p>Under the CCPA, personal information has no format or medium restrictions, which means that <strong>additional privacy practices and requirements can extend to<\/strong> pictures,\u00a0 sounds, or other data sources <strong>if they fall under the personal information definition under the law.<\/strong>\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What is the CCPA?<\/strong><\/h2>\n\n\n\n<p>The California Consumer Privacy Act (CCPA) is a state-level data privacy regulation in the United States that empowers consumers with more control over how their personal information is used by commercial entities. <a href=\"\/en\/ccpa-regulations\/\">CCPA requirements<\/a> guide how organizations need to comply with the law.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-are-consumers-rights-under-the-ccpa\">What are consumers\u2019 rights under the CCPA?<\/h3>\n\n\n\n<p>Consumers\u2019 privacy rights included under the CCPA are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>right to access: to learn whether and what data has been collected about them and have access to a copy of it<\/li>\n\n\n\n<li>right to know: if their information is being sold to or shared with third parties<\/li>\n\n\n\n<li>right to opt out: to decline consent for the sale or sharing of their personal data, or for targeted advertising or profiling<\/li>\n\n\n\n<li>right to deletion: to request that data collected about them be deleted and not used for further processing<\/li>\n<\/ul>\n\n\n\n<p>Of note is that prior consent needs to be obtained from a parent or guardian before collecting or processing the data of known children (under 16 years of age). Additional rights were also introduced with the <a href=\"https:\/\/www.cookiebot.com\/en\/cpra\/\">California Privacy Rights Act (CPRA)<\/a> in 2023, so it is important to be up to date on those as well for fully regulatory compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">California PII Laws<\/h2>\n\n\n\n<p>The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) that expanded and amended the CCPA, are two important regulations that impact how businesses handle the personal information of residents of California.<\/p>\n\n\n\n<p>The CCPA, which went into effect on January 1, 2020, is designed to give California residents more control over their digital privacy and personal data. The law requires businesses to disclose what personal information they collect, how it is used, and to provide consumers with the ability to opt-out of the sale of their personal information.<\/p>\n\n\n\n<p>The CPRA, which was approved by California voters in November 2020, builds upon the CCPA and expands privacy rights for consumers. It includes new requirements for businesses, such as providing consumers with the right to correct inaccurate personal information and limiting businesses' use of sensitive personal information.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full is-resized is-style-cb-rounded\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/California-PII-laws.svg\" alt=\"CCPA\u2019s personal information definition includes anything that can reasonably lead to the identification of an individual.\" class=\"wp-image-13824\" width=\"770px\" height=\"432px\" srcset=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/California-PII-laws.svg?v=2bf8d1d40ab5529d 150w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/California-PII-laws.svg?v=2bf8d1d40ab5529d 300w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/California-PII-laws.svg?v=2bf8d1d40ab5529d 768w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/California-PII-laws.svg?v=2bf8d1d40ab5529d 1024w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/California-PII-laws.svg?v=2bf8d1d40ab5529d 770w\" sizes=\"(max-width: 770px) 100vw, 770px\" \/><figcaption class=\"wp-element-caption\">CCPA\u2019s personal information definition includes anything that can reasonably lead to the identification of an individual.<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ccpa-enforcement-has-begun\">CCPA enforcement has begun<\/h2>\n\n\n\n<p>The CCPA was in effect when the CPRA was passed, and enforcement of the latter also began in March 2024. The California Privacy Protection Agency (CPPA) is now the enforcement authority, taking over from the California Attorney General\u2019s office.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-the-california-privacy-rights-act-cpra-is-now-law\">The California Privacy Rights Act (CPRA) is now law<\/h3>\n\n\n\n<p>The <a href=\"\/en\/cpra\/\">California Privacy Rights Act (CPRA)<\/a> was passed in the general election on November 3, 2020.\u00a0<\/p>\n\n\n\n<p>The CPRA amends and expands the existing data privacy regime under the CCPA, giving new rights to California residents, strengthening business requirements and creating a whole new government agency responsible for enforcement.<\/p>\n\n\n\n<p>The California Privacy Rights Act (CPRA) came into effect on January 1, 2023, with a look-back period to January 2022. Enforcement was initially supposed to begin on July 1, 2023, but was delayed due to legal challenges. Enforcement began after that was resolved, on March 29, 2024.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-personal-information-under-ccpa\">Personal information under CCPA<\/h2>\n\n\n\n<p>Using data (that is in itself not personal data) to <strong>draw inferences for the purpose of creating profiles<\/strong>&nbsp;on consumers, consisting of consumer behavior, convictions, preferences, intelligence, abilities and characteristics <strong>can be considered by CCPA as personal information<\/strong>.<\/p>\n\n\n\n<p>This expansive definition in the CCPA of PII is a crucial leap for US data privacy, because it directly relates to the billion-dollar ad tech industry of behavioral advertisement based on personal data collection that <a href=\"https:\/\/www.pewresearch.org\/internet\/2019\/11\/15\/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information\/\" target=\"_blank\" rel=\"noreferrer noopener\">studies show Americans are worried about and want regulated<\/a>.<\/p>\n\n\n\n<p>It means that using e.g. <strong>cookies<\/strong>, <strong>web beacons<\/strong>&nbsp;and <strong>social media plugins<\/strong>&nbsp;on your website can be a liability under the CCPA, if you or third parties either directly collect personal information through such means, or if you or third parties collect data that can be used to create identifiable profiles for the purpose of personalized advertisement.<\/p>\n\n\n\n<p><a href=\"\/en\/ccpa-cookies\/\">What does the CCPA say about cookies?<\/a><\/p>\n\n\n\n<p>In other words, if data has the&nbsp;<em>potential<\/em>&nbsp;to ultimately result in the identification of an individual, it can be deemed <strong>personal information<\/strong>&nbsp;under the CCPA, since the law defines personal information as&nbsp;<em>\u201c<strong>reasonably capable<\/strong>\"<\/em>&nbsp;of being linked to an individual or a household.<\/p>\n\n\n\n<p>In more words, CCPA\u2019s <strong>personal information<\/strong>&nbsp;definition includes not only data that identifies, but data that <strong>makes the identification possible<\/strong>.<\/p>\n\n\n\n<p>This includes <strong>website cookies<\/strong>, <strong>browser history<\/strong>&nbsp;and <strong>website analytics<\/strong>, such as monitoring user behavior on a domain (how long their mouse hovers on what, scroll speed, clicks and more), since these could, through combination and inference, lead to the identification of an individual.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-ccpa-household-data-definition\">CCPA household data definition<\/h2>\n\n\n\n<p>In the <a href=\"\/\">CCPA<\/a>, personal information also covers a subgroup of data called <strong>household information<\/strong>.<\/p>\n\n\n\n<p><strong>Household information<\/strong>&nbsp;has been discussed vigorously since the CCPA passed into law and criticized for its ambivalent nature.<\/p>\n\n\n\n<p>The CCPA\u2019s personal information definition does not further specify what household data means or how it should be enforced.<\/p>\n\n\n\n<p>However, the <a href=\"\/en\/ccpa-regulations\/\">final CCPA regulations&nbsp;<\/a>define household as:<\/p>\n\n\n\n<p><em>\u201da person or group of people who reside at the same address, share a common device or the same service provided by a business and are identified by the business as sharing the same group account or unique identifier.\u201d<\/em><\/p>\n\n\n\n<p><a href=\"\/en\/ccpa-regulations\/\">Learn more about the final CCPA regulations and enforcement<\/a><\/p>\n\n\n\n<p>Of note is that under the CPRA, \u201cdevices\u201d have been removed from the compliance requirements and thresholds for households.<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Find all cookies and trackers on your domain that collect and process end users\u2019 personal information.                    <\/h2>\n                                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"f0e53acf-4f42-45ea-96fb-6fa98ed7db0e\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"\/en\/cookie-checker\/\" target=\"_blank\">\n<span>Scan your website now<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-cookiebot-cmp-ccpa-and-personal-information\">Cookiebot CMP, CCPA and personal information<\/h2>\n\n\n\n<p>If your business has a website, it is almost certain that you one way or another collect what is defined in the CCPA as <strong>personal information<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-compliance-thresholds-for-the-ccpa\">Compliance thresholds for the CCPA<\/h3>\n\n\n\n<p>While almost all websites collect data, the CCPA applies to a limited number of organizations. It only protects the personal data of residents of California, processed by commercial entities that:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>have annual gross revenues exceeding US $25 million in the preceding calendar year<\/li>\n<\/ul>\n\n\n\n<p>or<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>receive, buy, or sell personal information of 100,000 or more consumers or households<\/li>\n<\/ul>\n\n\n\n<p>or<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>earn more than 50 percent of their annual revenue from the sharing or sale of consumers\u2019 personal information<\/li>\n<\/ul>\n\n\n\n<p>Given the broad definition in the CCPA of personal information, first and third party cookies can be deemed <strong>indirect identifiers<\/strong>, reasonably capable of identifying an individual through the collection of personal information such as <strong>browser history<\/strong>, <strong>cross-site tracking<\/strong>, <strong>IP addresses<\/strong>, other behavioral data that trackers and plugins on your website collect on your end-users.<\/p>\n\n\n\n<p>The Cookiebot CMP solution enables data controllers to provide transparency about data collection and use, and enables <a href=\"\/en\/ccpa-cookies\/\">CCPA website compliance<\/a> for businesses. <\/p>\n\n\n\n<p>An important part of achieving CCPA compliance is for a business to know all of the data they collect and from where, how it\u2019s stored, who has access to it, and how it\u2019s used. For example, on the website: what cookies and trackers are in use, what data do they collect, which of them are set by third parties, and what do they do with that data? With the CCPA <strong>rights <\/strong>consumers now have, personal data is no longer a commodity that businesses can collect without limit, trade, share, or sell without any thought for the consumer. In California, personal information belongs to end users, who now have more control over who can access it, and for what purposes.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-style-cb-rounded\"><img loading=\"lazy\" decoding=\"async\" height=\"513\" width=\"770\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/CCPA-compliance.svg\" alt=\"Our solution ensures full transparency and CCPA compliance for businesses and their websites.\" class=\"wp-image-13825\" srcset=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/CCPA-compliance.svg?v=4990fdde179a87d5 150w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/CCPA-compliance.svg?v=4990fdde179a87d5 300w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/CCPA-compliance.svg?v=4990fdde179a87d5 768w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/CCPA-compliance.svg?v=4990fdde179a87d5 1024w, https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/04\/CCPA-compliance.svg?v=4990fdde179a87d5 770w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><figcaption class=\"wp-element-caption\">Our solution ensures full transparency and CCPA compliance for businesses and their websites.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-compliance-with-cookiebot-cmp\">CCPA compliance with Cookiebot CMP<\/h3>\n\n\n\n<p>Any organization that is collecting data on California residents and meets compliance thresholds need to have reasonable security procedures in place to ensure that they adequately protect personal data they have collected. They also need to ensure processing of the data and sharing of it follows regulatory requirements. The law also requires such organizations to provide information about data collection and processing and user rights in a prominent place, most commonly via a <a href=\"\/en\/ccpa-privacy-policy\/\">CCPA privacy policy<\/a> on the website.\u00a0\u00a0<\/p>\n\n\n\n<p>Our solution works to protect privacy and human autonomy on our digital infrastructures, and we are thrilled to see strong data privacy laws emerging around the world \u2013 from Europe to the US.<\/p>\n\n\n\n<p>Our CMP is a compliance solution for CCPA&nbsp;<em>and<\/em>&nbsp;GDPR \u2013 depending on what configuration you and your business needs and where in the world your end-users are located.<\/p>\n\n\n\n<p>Cookiebot scans your website, uncovers all cookies and trackers in place and blocks them all from collecting personal information, until your end-users have given their consent to which trackers, they will allow activated, as is the strong privacy requirements of <a href=\"\/en\/gdpr\/\">the European GDPR<\/a>.<\/p>\n\n\n\n<p>We also support the CCPA requirement of having a <strong>Do Not Sell My Personal Information<\/strong>&nbsp;link on a business\u2019 website.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter is-resized is-style-cb-rounded\"><img decoding=\"async\" src=\"\/media\/4337\/ccpa_main_en.png?width=500&amp;\" alt=\"Cookiebot CCPA compliant cookie declaration screenshot - Cookiebot\" width=\"770px\" height=\"353px\"\/><figcaption class=\"wp-element-caption\">Cookiebot CMP enables CCPA compliance.<\/figcaption><\/figure>\n\n\n\n<p>Try Cookiebot CMP for free today if your business and its websites have visitors or customers from California, and you collect personal information using cookies, trackers, social media plugins, and other tools on your domains.<\/p>\n\n\n<a id=\"ac0c6827-dc63-4e06-a05f-04676fbca932\" class=\"cb-button cb-button-size-m cb-button-contained  no-default-link-decoration cb-button-left\" href=\"https:\/\/admin.cookiebot.com\/signup\" target=\"_blank\">\n<span>Start your free 14-day trial now<\/span><\/a>\n\n\n\n<p>This way, you can enable and maintain your company\u2019s compliance with the CCPA, CPRA and other potential\u00a0 privacy regulations. You can ensure transparency with your users about data collection, protection, and processing, as well as compliant consent choices. This is not only required by law, but also helps build trust and brand reputation as you demonstrate respect for user privacy.<\/p>\n\n\n\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>CCPA PII definition In the California Consumer Privacy Act (CCPA), personal information is defined as: \u201cInformation that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.\u201d According to the CCPA, person information is a broad category\u00a0of all kinds of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":13829,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1090","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2022\/04\/CCPA-for-Personal-Information_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/1090","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=1090"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/1090\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media\/13829"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=1090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/categories?post=1090"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=1090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}