Blog

What is Personal Information Under the CPRA?

Privacy Compliance
February 6, 2023
What exactly qualifies as personal information under the California Privacy Rights Act?

What is Personal Information Under the CPRA?

With all of the different types of data privacy laws that exist across the world, it can get confusing when trying to understand the different terms and definitions. In this guide, we’ll break down in simple terms the definition of Personal Information under the California Privacy Rights Act, or CPRA.

What is the CPRA?

The General Data Protection Regulation (GDPR), which took effect in 2018, was designed to make sure that any business dealing with personal data acquired in the EU would have to take real measures to secure both that data and the privacy of the data subjects it concerns. Any entity that handled the personal data of data subjects who were inhabitants of the EU was subject to it, regardless of where it was headquartered.

Similar in scope, the California Privacy Rights Act (a.k.a. CPRA) pertains to "for-profit" organizations that interact with the private information of California citizens that satisfies one of three requirements. A company must meet the following three requirements to be subject to the CPRA's authority:

  1. The CPRA will apply to companies that exchange the personal information of at least 100,000 customers or families. The CCPA's previous 50,000 consumer threshold has been updated, making it a more accommodating piece of law for small- to medium-sized businesses. 
  2. The California Privacy Rights Act requirements will also apply to a company that has $25 million in gross sales by January 1 of the previous year. 
  3. The CPRA also has authority over companies that derive 50% or more of their total income from sharing or selling user-collected personal information.

What is Considered Personal Information Under the CPRA?

The California Privacy Rights Act of 2020 is set to go into effect in the spring of 2023. The California Consumer Privacy Act (CPRA) increases the definition of "Personal Information" among its many other additions and modifications from the CCPA (California Consumer Protection Act). 

Specifically, the category of Sensitive Personal Information is added. This new category adopts the definition of Special Category Data from the EU General Data Protection Regulation, adds data components that are frequently considered sensitive in the U.S., and adds a fresh twist by incorporating the contents of a customer's mail, email, and text messages.

According to the CPRA, "sensitive personal information" is widely defined as "personal information that is not generally available" and discloses:

  • A customer's passport, state ID, driver's license, or social security number.
  • The username, password, or other credentials needed to access an account for a customer, along with their financial information, debit card, or credit card number.
  • The specific geolocation of a customer.
  • The racial or cultural background, religious or philosophical convictions, or union membership of a customer.
  • The information included in a customer's mail, emails, and text messages, unless the company is the intended receiver.
  • The genetic information of a customer.
  • Processing biometric data with the aim of uniquely identifying a customer
  • Health-related personal information about a customer.
  • Personal information on a customer's sexual preferences or activity.

Businesses now have two main duties as a result of the introduction of this new category of personal information. 

  • A company must disclose sensitive personal information to consumers, including job seekers and workers, in its notice at the time of collection, as well as in any online privacy policies or California-specific descriptions of consumer rights. In accordance with the CPRA, this notice must now additionally state which categories of sensitive personal information will be gathered, why they will be used, if they will be shared or sold, and how long the business plans to keep each category of sensitive personal information.
  • A company may only gather or use sensitive personal data for the restricted objectives specified by the CPRA and in accordance with future implementation rules if it is necessary to deliver the services or products that the customer has requested. The customer must be informed of the planned use or disclosure as well as their ability to limit it if the business plans to use or disclose this information for any other reason. A company has to give the customer an opt-out option so they may exercise their right easily. This right to restrict use or disclosure does not apply to sensitive personal information that is not gathered or processed with the intention of inferring a consumer's characteristics.

More from the Blog

Why was the CCPA Introduced?
Privacy Compliance

Why was the CCPA Introduced?

Why is Personal Data Valuable?
Privacy Compliance

Why is Personal Data Valuable?

What is Personal Data under the GDPR?
HIPAA

What is Personal Data under the GDPR?

The Truth about Data Security
Data Security

The Truth about Data Security

What is a HIPAA Lawyer?
HIPAA

What is a HIPAA Lawyer?

What Is a Data Processor?
HIPAA

What Is a Data Processor?

What is a Data Controller?
HIPAA

What is a Data Controller?

What is a HIPAA Compliance Checklist?
HIPAA

What is a HIPAA Compliance Checklist?

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals
Get Started Free
Talk To An Expert
schedule accountable demo
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of Compliance
Solutions
HIPAA Compliance SolutionGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password
star iconstar iconstar iconstar iconstar icon

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
Terms of ServicePrivacy Policy