What does ‘personal data’ actually mean under the CCPA?

Next story
Tony Anscombe, ESET Global Security Evangelist

The window for proposed amendments to the California Consumer Privacy Act (CCPA) ended on Friday, Sept. 13. One of the amendments that is expected to pass is Assembly Bill 1355, which modifies the definition of “personal information” as information that is “reasonably capable of being associated with: a particular consumer or household,” instead of the currently proposed “capable of being associated.”

Adding the word “reasonably” into the definition narrows the boundary of what is considered personal information. Prior to this amendment, the definition of personal information would probably encompass nearly all the information a business holds as that info is likely associated with an individual—even if the data in question has no relevance to privacy.

How this narrows the definition may be better explained via the use of the word “reasonable” in common law. “Beyond a reasonable doubt” means that prosecutors bear the burden of proof to the extent there could be no reasonable doubt in the mind of a reasonable person. It would be much harder if the word reasonable was missing from the term, as “beyond a doubt” would be hard to prove.

Some background: CCPA is set to become effective on January 1, 2020. Designed to enhance privacy rights and consumer protection for residents of California, the key features of the act will provide those residents with the right to:

  • Know what personal data is being collected about them
  • Be informed if their personal data is sold or disclosed and to whom
  • Opt out of the sale of personal data
  • Request access to their personal data
  • Request that personal data collected from them is deleted
  • Not experience discrimination by exercising their privacy rights

What does the term “personal data” mean in relation to CCPA? The CCPA comes on the heels of the European Union’s General Data Protection Regulation (GDPR) which took effect in May 2018. GDPR defined personal information this way:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

While this definition set a line in the sand, so to speak, and is a great general definition, it could be open to interpretation, especially when you start considering personal information on the edges of being “personal.” California legislators have taken the definition much further by including granular details of what constitutes personal data and stretching the legislation to include “household” data. CCPA legislation provides a very specific definition, which you can find in our Practical Guide to CCPA.

A summarized definition, such as the one included in the GDPR, has the issue of being open to interpretation in some instances. A granular definition like the one included in the CCPA means that any item not listed might be deemed not to be included unless covered in the general wording. There is no perfect way of defining what personal information is—especially when you consider that 20 years ago it would have a thing of science fiction to think that fitness tracking would be as simple and widespread as it is today, with hundreds of millions of people tracking how many steps they took today.

The amendments to the CCPA show that defining personal information is a complex and evolving task, one that is likely never to be set in stone.


Tony Anscombe is the Global Security Evangelist for ESET. With over 20 years of security industry experience, Anscombe is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust, and Internet safety. He is regularly quoted in security, technology and business media, including BBC, The Guardian, The New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON and CBS.