What is Personal Information Under the CPRA?

What is Personal Information Under the CPRA?

With all of the different types of data privacy laws that exist across the world, it can get confusing when trying to understand the different terms and definitions. In this guide, we’ll break down in simple terms the definition of Personal Information under the California Privacy Rights Act, or CPRA.

What is the CPRA?

The General Data Protection Regulation (GDPR), which took effect in 2018, was designed to make sure that any business dealing with personal data acquired in the EU would have to take real measures to secure both that data and the privacy of the data subjects it concerns. Any entity that handled the personal data of data subjects who were inhabitants of the EU was subject to it, regardless of where it was headquartered.

Similar in scope, the California Privacy Rights Act (a.k.a. CPRA) pertains to "for-profit" organizations that interact with the private information of California citizens that satisfies one of three requirements. A company must meet the following three requirements to be subject to the CPRA's authority:

1. The CPRA will apply to companies that exchange the personal information of at least 100,000 customers or families. The CCPA's previous 50,000 consumer threshold has been updated, making it a more accommodating piece of law for small- to medium-sized businesses. 
2. The California Privacy Rights Act requirements will also apply to a company that has $25 million in gross sales by January 1 of the previous year. 
3. The CPRA also has authority over companies that derive 50% or more of their total income from sharing or selling user-collected personal information.

What is Considered Personal Information Under the CPRA?

The California Privacy Rights Act of 2020 is set to go into effect in the spring of 2023. The California Consumer Privacy Act (CPRA) increases the definition of "Personal Information" among its many other additions and modifications from the CCPA (California Consumer Protection Act). 

Specifically, the category of Sensitive Personal Information is added. This new category adopts the definition of Special Category Data from the EU General Data Protection Regulation, adds data components that are frequently considered sensitive in the U.S., and adds a fresh twist by incorporating the contents of a customer's mail, email, and text messages.

According to the CPRA, "sensitive personal information" is widely defined as "personal information that is not generally available" and discloses:

• A customer's passport, state ID, driver's license, or social security number.
• The username, password, or other credentials needed to access an account for a customer, along with their financial information, debit card, or credit card number.
• The specific geolocation of a customer.
• The racial or cultural background, religious or philosophical convictions, or union membership of a customer.
• The information included in a customer's mail, emails, and text messages, unless the company is the intended receiver.
• The genetic information of a customer.
• Processing biometric data with the aim of uniquely identifying a customer
• Health-related personal information about a customer.
• Personal information on a customer's sexual preferences or activity.

Businesses now have two main duties as a result of the introduction of this new category of personal information. 

• A company must disclose sensitive personal information to consumers, including job seekers and workers, in its notice at the time of collection, as well as in any online privacy policies or California-specific descriptions of consumer rights. In accordance with the CPRA, this notice must now additionally state which categories of sensitive personal information will be gathered, why they will be used, if they will be shared or sold, and how long the business plans to keep each category of sensitive personal information.

• A company may only gather or use sensitive personal data for the restricted objectives specified by the CPRA and in accordance with future implementation rules if it is necessary to deliver the services or products that the customer has requested. The customer must be informed of the planned use or disclosure as well as their ability to limit it if the business plans to use or disclose this information for any other reason. A company has to give the customer an opt-out option so they may exercise their right easily. This right to restrict use or disclosure does not apply to sensitive personal information that is not gathered or processed with the intention of inferring a consumer's characteristics.