Protecting Consumer Privacy: A Guide to Personal Information Under CPRA

Table of Contents

The California Privacy Rights Act (CPRA) is one of the most advanced pieces of data protection legislation in the digital era and covers a broad range of categories related to personal and public data. Personal information under the CPRA is clearly protected under stringent laws, but many businesses are still in the blue on what it entails. 

While the CPRA bears many similarities to the GDPR, it differs just as much, especially with regard to defining and safeguarding personal information. The CPRA emphasizes more on personal information ownership rights and businesses may face harsh penalties for violating the personal information protection laws.

But how is personal information defined under the CPRA? What are the categories of “personal information” and how can you determine if your business is compliant with the CPRA in this regard?

This article will discuss the definition and categorization of personal information under the CPRA, the consumer rights protected under this legislation, and best practices for CPRA compliance.

Like the GDPR and other legislation designed to protect consumer rights, the CPRA protects the fundamental right for an individual to own data. While previous legislation has already established the importance of personal data ownership (think of patent data laws), the CPRA covers a broader category of personal data ownership. 

Essentially, it allows consumers to have full authority over who they choose to disclose personal information to, how and when they choose to share their information, and, most importantly, what information they choose to share with businesses.

Some fundamental rights related to personal information under the CPRA include:

The Right to Know What Personal Information Businesses Collect

The right to know what information businesses collect is a fundamental part of the CPRA and other data privacy legislation. Businesses have to be transparent when it comes to collecting personal information as defined under the CPRA framework. However, this doesn’t apply to public or other information categories.

The Right to Access Personal Information

Another major distinction in the CPRA is that it allows consumers to access their personal information, even after they provide it to businesses. Under this law, consumers have the right to request businesses to provide access to their personal information up to twice a year. Furthermore, businesses cannot charge consumers for providing access to personal information.

The Right to Opt Out From Information Collection

As a consumer, you’ll have the right to request companies to stop collecting your personal information and they will have to comply immediately. The legislation doesn’t stop there, though, and allows consumers to request businesses to delete any personal information collected. 

The Right to Know How Their Personal Information is Used

The CPRA also prevents businesses from selling or sharing consumer data with third parties without consent. This process has to be transparent and consumers have to know exactly where and for what purposes their data is being used.

As a whole, the CPRA is more comprehensive in protecting consumer rights to ownership of personal information. These changes may affect the way businesses approach data collection and sharing, even if they already had certain consent policies in place.

If your business is required to be CPRA compliant, you’ll have to ensure that none of these consumer rights are violated in the business’s data collection systems.

CPRA Penalties and Fines

Since the CPRA pertains to businesses that generate revenues of over $25 million annually, the fines for breaching the legislation are significant. Unlike other privacy legislation that leaves ambiguity on how much a business can be fined per incident, the CPRA clearly sets a range for this value. 

The fines will vary based on whether the violation was due to a data breach or the business misused personal information, amongst other factors.

Here’s how these fines apply based on the violation:

If the violation is caused by a data breach, the business or service provider will be liable to a minimum fine of $750 and a maximum of $2500 per incident.

If the business intentionally violates any of the CPRA provisions, they may be fined up to $7500 per incident.

Once a business gets a notice of violation, they have 30 days to show how they rectified the violation. However, this is not always possible, especially in the case of an external data breach.

Multiple violations against the same consumer will be counted as a single violation. However, violations and fines do stack up and if multiple consumers are affected by a single data breach, it will be counted as multiple violations. 

While $2500 or $7500 may seem like a minimal amount for a company with revenue over $25 million, it’s important to consider that most companies that fall under this law will deal with the data of hundreds of thousands of consumers.

So, even a small mistake in the collection and sharing of consumer personal information or a minor security breach can therefore result in a fine of millions for these companies!

Hence the need for businesses to understand what constitutes personal information and how to ensure compliance with these laws.

Personal Information Under the CPRA

Before we look at how to comply with the personal information protection provisions in the CPRA, it’s important to know exactly what counts as “personal information”.

The general definition of personal information under the CPRA is any information associated with or “ linked, directly or indirectly, with a particular consumer or household. ”

But with such broad categorization, how can businesses identify whether certain information is personal or not? And what cannot be counted as “personal information”?

Fortunately, understanding the CPRA’s approach to personal information can help businesses achieve compliance and avoid making mistakes in data collection. For this, it’s important to consider the consumer rights with regard to personal information that are emphasized by the CPRA.

It also helps if we categorize “personal information” as defined by the CPRA. For practical purposes, this can be broken down into 4 distinct categories:

Direct identifiers: This includes data that can be directly used to identify an individual or household such as name, social security number, etc.

Indirect identifiers: This includes information that can be used to relate to a particular individual or household, such as buying patterns or drug prescription usage.

Information that can be used to relate to an individual: This applies to information that is not by definition an identifier but can be used to establish some relation to an individual or household such as browsing patterns, cookies, and other online tracking data. 

Linking information: While this may seem to interlink with the above, it’s slightly different as it refers to information that can be linked with an individual in any form, even though it doesn’t identify on its own. For example, for a business that monitors the usage of a personal login on their site, the site usage data can be classified as personal information.

So what’s in it for businesses? Why go through so much pain to facilitate consumers at a potential loss to the business?

If you look at it from a broader perspective, more transparency can actually benefit businesses. For one, it gives places more trust in businesses since consumers feel in control. It also means that businesses will no longer have to rely on solely buying information and will invest in systems to get it directly from consumers.

This eliminates the need for shady third-party data collectors and ensures businesses have more accurate and up-to-date information. So, if you haven’t already changed your data collection systems, now may be the perfect time to do so! 

CPRA Compliance Best Practices

Now that it’s clear what constitutes personal information under the CPRA and what consumer rights need to be protected, it’s time to ensure your business is CPRA compliant. While this is easier said than done, there are some actionable steps you can implement to ensure compliance. 

Remember, you may not need to follow all these steps, depending on where your business currently stands in terms of data collection procedures.

So, let’s go through them:

Evaluate Whether Your Business Collects Personal Information

Before you can move towards compliance, it’s important to know what type of information flows in and out of your business. Do you collect user data on your website or with direct and indirect identifiers?

Nowadays, it’s rare that businesses operate without needing some type of personal or household information from consumers, and knowing exactly what type of information is used is essential.

You can set a timeline for conducting regular information audits, especially if you deal with sensitive personal information.

Create a Compliant Privacy Policy

Once you know how your business collects and uses personal information, you’ll have to update your privacy policy accordingly. It’s crucial to be completely transparent in this as an incomplete privacy policy can lead to hefty fines.

A thorough privacy policy should include:

A list of your consumer’s rights regarding their data.

A list of what kind of information you collect.

An explanation of how you intend to use their information.

Reasons why you intend to use this information.

Clearly explain the data retention process.

With this in mind, you’ll have to revamp your existing privacy policy or re-create it completely to ensure compliance with the CPRA.

Inform Consumers About Your Data Collection Procedures

This is the most important part of being compliant with the CPRA. It includes getting permission from consumers as well as informing them on how you’ll use their personal information.

Here are some tips to consider when doing so:

Consumers should know what information is needed.

They should be aware of where their personal information is transferred.

You should be transparent about what purpose the information will be used for.

Always create a system whereby consumers can opt out from sharing their data at any time. This includes having a “do not sell my personal information page.”

These tips should ensure that you cover most of the consumer personal information rights protected under the CPRA,

Strengthen Your Data Protection Systems

One of the downsides of the CPRA is that it places a penalty on businesses for each consumer affected by a data breach. If your business deals with personal information, ensure that the storage systems are protected with multiple levels of encryption

For this, it helps to use an external data protection consultant to do an information audit, so you can identify any potential gaps that may be used to breach your systems.

Remember, even small breaches can cost millions, so it’s best to invest in more robust systems than to pay fines for an information breach.


What is Considered Personal Information Under the CPRA?

The CPRA considers personal information as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

What are Some Examples of Personal Information Under the CPRA?

Examples of personal information under the CPRA include direct identifiers such as names and social security numbers, indirect identifiers such as signatures or IP addresses, and associative information such as buying preferences and aptitudes.

Does my Business Need to be CPRA Compliant?

If your business errands more than 50% of its revenue from selling personal information, has an annual revenue of $25 million, or processes the personal information of more than 100,000 consumers, it falls under the CPRA.

How Do I Ensure My Business is CPRA Compliant?

There are several strategies to ensure you are CPRA compliant, including conducting regular information audits, being transparent about data collection, and strengthening your data protection systems.

What is Not Personal Information Under the CPRA?

Information available to the general public or information that businesses believe may reasonably be available to the general public is not counted as personal information. This includes information made available by federal and local government records.


Ensuring that your business is CPRA compliant has never been more crucial. While the concept of personal information may be complex under these laws, ensuring compliance is fairly straightforward.

And that’s what we’re here to help with at Captain Compliance. From conducting an information audit to updating your privacy policies, our experts will ensure your business is thoroughly compliant.

So, avoid losing hard-earned revenue to fines that can easily be avoided, and contact us today!

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a free 30-day trial now.