While CCPA is far-reaching in terms of companies that are impacted, the legislation only applies to specific types of data, namely personal data from CA residents.
The data covered under CCPA is identified as “personal information”. The CCPA definition of personal information is data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Or, simply, data that identifies an individual or household or that can be used to identify an individual or household.
Given the free flow of data and the sheer amount of data collected passively and automatically by our computers and phones, this is an incredible amount of information and it is not crystal clear what data might be capable of “reasonably” being linked to an individual.
Take exercise tracking apps. The routes themselves, without any personal information on the user, if they start and end at a residence, can reasonably infer that the residence is the address of the individual. This type of data has been shown to expose the sites of secret overseas military facilities.
Geolocation data, something that mobile apps have notoriously hoovered up from users, is a broad category of data that can easily be linked to individuals.
Or data that identifies your online activities - search history or browser fingerprinting.
It is easy to imagine almost any user-associated data being considered personal information under CCPA.
There are a few personal information exceptions that were added to CCPA so as not to overlap with other privacy regulations where the data is already being regulated. Those exceptions include healthcare data and financial data.
A list of personal information explicitly listed in CCPA is below.
It’s safe to assume any information you store on individuals, or individual users, falls under CCPA.