In 2020, the California Consumer Privacy Act (CCPA) came to fruition as one of the strictest state-wide data privacy laws in the United States. It regulates how businesses worldwide are allowed to handle the personal information (PI) of California residents. This law sets a new standard for privacy rights. It extends past typical personal data (e.g., phone numbers) to include information such as geolocation and browsing history, among other data types. The CCPA defines PI as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Here we will explore the 11 data categories the CCPA takes into account.
11 CCPA Personal Data Categories
While reviewing the 11 data categories that the CCPA uses to organize PI, certain information may fit within multiple categories. For example, a social security number is considered both an identifier and customer record information.
- Biometric Information – Eye color, hair color, height
- Commercial Purchasing Information – Financial data, records of buying property, products purchased
- Customer Record Information – Physical characteristics and descriptions, bank card information, education, telephone number, health information
- Education Information – Schools attended, degrees obtained
- Employment Information – Place of work, past jobs
- Geolocation Data – Any data pertaining to geography
- Identifiers – Names, addresses, social security numbers, passport numbers, driver’s license numbers
- Inferences From Above – Any inferences that can be made from the above data
- Information Related to the Senses – Visual, audio, thermal, olfactory information
- Internet and Electric Network Activity – Search history, browsing history, essentially any interaction with the internet
- Legally Protected Characteristics – Race, religion, gender identity and expression
Exclusions From the 11 CCPA Categories
While the CCPA is comprehensive and inclusive in defining personal data, it does exclude any publicly available information. This includes any data that can be obtained by referencing federal, state, or local government records. It also does not include de-identified or pseudonymized information that cannot be reasonably linked to an individual. Very niche financial and medical information that may already be regulated by compliance laws such as HIPAA could also fall outside the scope of the CCPA.
Why CCPA Data Categories Matter for Compliance
Businesses are responsible for disclosing the categories of data they are collecting and the purposes they intend to use it for. Understanding the categories of PI and basic requirements of the CCPA will not only help organizations meet current compliance expectations, but it will also fast-track them to meet upcoming data security laws. Notably, the CCPA is continuing to evolve in regard to name and its principles – the CPRA (an amendment of CCPA) is set to be enforced January 2023 and has been referred to as “CCPA plus” or “CCPA 2.0.”
Meet California Compliance With Ground Labs
Businesses who are subject to the CCPA and do not safeguard data that falls into these 11 categories risk losing customer trust and facing hefty fines up to civil penalties of $7,500 per violation. This, along with reputational damages, are core reasons for your business to work with a trusted partner who can help you stay accountable in meeting CCPA compliance.
You can not protect what you do not know exists. With Ground Labs’ award-winning solution, Enterprise Recon, your organization can scan, find and remediate hundreds of data types that fall within the CCPA personal data categories.
Schedule a demo today if you are ready to embark on a compliance journey to protect your customer’s data.