Personal Information Categories
Overview
The CCPA defines "Personal Information" as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This definition is intentionally broad and includes 12 specific categories enumerated in the statute.
Personal information can exist in various formats:
- Physical formats: Paper documents, printed images, vinyl records, video tapes
- Digital formats: Text, image, audio, or video files
- Abstract digital formats: Compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information
The 12 Categories of Personal Information
Under Section 1798.140(v)(1), personal information includes the following categories:
| Category | Description | Examples |
|---|---|---|
| (A) Identifiers | Basic identifying information | Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers |
| (B) Customer Records | Personal information described in subdivision (e) of Section 1798.80 | Information enumerated in California Civil Code § 1798.80(e), including signature, physical characteristics or description, telephone number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information |
| (C) Protected Classifications | Characteristics of protected classes | Race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information), age (40 years or older) |
| (D) Commercial Information | Records of purchasing behavior | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies |
| (E) Biometric Information | Physiological, biological, or behavioral characteristics used to establish identity | DNA, imagery of iris/retina/fingerprint/face/hand/palm/vein patterns, voice recordings, faceprints, minutiae templates, voiceprints, keystroke patterns/rhythms, gait patterns/rhythms, sleep/health/exercise data containing identifying information |
| (F) Internet/Network Activity | Online behavior and interactions | Browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement |
| (G) Geolocation Data | Physical location information | GPS coordinates, location tracking data (see also "Precise geolocation" definition for regulatory distinctions) |
| (H) Sensory Information | Audio, visual, and other sensory data | Audio, electronic, visual, thermal, olfactory, or similar information |
| (I) Professional/Employment Information | Work-related data | Current or past job history, performance evaluations, disciplinary records |
| (J) Education Information | Non-public educational records | Information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99) |
| (K) Inferences | Derived consumer profiles | Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes |
| (L) Sensitive Personal Information | See Sensitive Personal Information section below | A subset of personal information requiring heightened protections (detailed in Section 1798.140(ae)) |
Sensitive Personal Information
"Sensitive personal information" is a subset of personal information that receives additional protections under the CCPA. It is defined in Section 1798.140(ae) and includes three main groupings:
Information That Reveals:
| Subcategory | Description |
|---|---|
| (A) Government IDs | Consumer's social security, driver's license, state identification card, or passport number |
| (B) Account Credentials | Consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account |
| (C) Precise Geolocation | Data derived from a device used to locate a consumer within a geographic area equal to or less than a circle with a 1,850-foot radius |
| (D) Protected Characteristics | Consumer's racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership |
| (E) Communication Contents | Contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication |
| (F) Genetic Data | Consumer's genetic information |
| (G) Neural Data | Information generated by measuring the activity of a consumer's central or peripheral nervous system that is not inferred from nonneural information |
Processing of Certain Data:
| Subcategory | Description |
|---|---|
| (2)(A) Biometric Identification | The processing of biometric information for the purpose of uniquely identifying a consumer |
| (2)(B) Health Data | Personal information collected and analyzed concerning a consumer's health |
| (2)(C) Sexual Information | Personal information collected and analyzed concerning a consumer's sex life or sexual orientation |
Key Exception
Sensitive personal information that is "publicly available" pursuant to Section 1798.140(v)(2) shall not be considered sensitive personal information or personal information.
What Is NOT Personal Information
Section 1798.140(v)(2) excludes the following from the definition of personal information:
Publicly available information: Information lawfully made available from federal, state, or local government records; information a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience
- Exception: Biometric information collected by a business about a consumer without the consumer's knowledge is not considered publicly available
Deidentified information: Information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer (see /key-definitions/personal-information for deidentification requirements)
Aggregate consumer information: Information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household
Deidentified Information Requirements
For information to qualify as "deidentified" under Section 1798.140(m), a business must:
Take reasonable measures to ensure that the information cannot be associated with a consumer or household
Publicly commit to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy these requirements
Contractually obligate any recipients of the information to comply with all provisions of this subdivision
Related Identifiers and Concepts
Unique Identifier
A "unique identifier" or "unique personal identifier" (Section 1798.140(aj)) means a persistent identifier that can be used to recognize a consumer, a family, or a device linked to a consumer or family, over time and across different services. This includes:
- Device identifiers
- Internet Protocol addresses
- Cookies, beacons, pixel tags, mobile ad identifiers, or similar technology
- Customer numbers, unique pseudonyms, or user aliases
- Telephone numbers
- Other forms of persistent or probabilistic identifiers
For purposes of this definition, "family" means a custodial parent or guardian and any children under 18 years of age over which the parent or guardian has custody.
Probabilistic Identifier
A "probabilistic identifier" (Section 1798.140(x)) means the identification of a consumer or a consumer's device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
Relationship to Business Operations
Personal information is distinguished from information used for "business purposes" as defined in Section 1798.140(e). Business purposes include eight enumerated operational uses, such as:
- Auditing related to counting ad impressions to unique visitors
- Helping to ensure security and integrity
- Debugging to identify and repair errors
- Short-term, transient use (including nonpersonalized advertising)
- Performing services on behalf of the business
- Providing advertising and marketing services (excluding cross-context behavioral advertising)
- Undertaking internal research for technological development
- Verifying or maintaining quality or safety of services or devices
For a complete understanding of how personal information may be used, see /implementing-ccpa-compliance/opt-out-mechanisms for opt-out requirements and /understanding-ccpa/consumer-rights for consumer rights regarding personal information.
Amendment History
The definitions in Section 1798.140 were amended by Stats. 2025, Ch. 67, Sec. 27 (AB 1170), effective January 1, 2026. The addition of neural data as a category of sensitive personal information reflects the statute's evolving approach to emerging technologies.