Clym Logo

What is personal information under the CCPA?

~ 9 min read

Personal information under the CCPA includes any data that can reasonably be linked to a California resident or household, directly or indirectly. Under the California Consumer Privacy Act (CCPA), personal information is defined broadly. It includes information that identifies, relates to, describes, or could reasonably be linked with a California resident or household. This article explains how the CCPA defines personal information, what types of data are included, what is excluded, and how businesses should think about identifiability in practice.

Summarise full article with:

Introduction

Businesses often assume that personal information only refers to obvious identifiers such as names or email addresses. Under the CCPA, the definition is much wider. Many data points that appear technical, indirect, or anonymous at first glance may still qualify as personal information when they can be linked to a person or household.

Understanding what counts as personal information is foundational. It determines whether data collection activities fall within scope, how notices must be written, and which consumer rights may apply. For a broader view of how these definitions fit into overall obligations, see our CCPA compliance guide 2026 for businesses. In this article we are focusing on the definition and boundaries of personal information under the CCPA. If you are assessing whether these definitions bring your business within scope, our CCPA applicability guide provides a structured overview of coverage rules and thresholds.


How the CCPA defines personal information

Legal definition: Under California Civil Code section 1798.140(v)(1), personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This definition underpins many of the requirements explained in the CCPA compliance guide 2026 for businesses.

Two elements are especially important in this definition:

  • Identifiability, whether the data can be linked to a person or household
  • Reasonableness, whether that linkage can reasonably be made in practice

This means personal information is not limited to data that explicitly names an individual. Context, combination with other data, and typical business capabilities all matter.


Identifiability under the CCPA

A key concept under the CCPA is that information does not need to identify someone by name to qualify as personal information. Data may still be considered personal when it can be reasonably linked to a consumer or household.

Examples of identifiability include:

  • A persistent device identifier linked to repeated visits
  • An IP address associated with a household or user profile
  • Account or login identifiers tied to usage history
  • Data that becomes identifiable when combined with other datasets

This approach reflects how modern digital services operate, where profiles, analytics, and behavioral data often identify users indirectly rather than explicitly.


Categories of personal information under the CCPA

The CCPA provides a non-exhaustive list of personal information categories to illustrate how broadly the definition applies. Common categories include:

  • Identifiers such as names, email addresses, IP addresses, and device IDs
  • Internet or network activity, including browsing behavior and interaction data
  • Geolocation data (and in some cases, precise geolocation may fall into sensitive personal information, which we will be discussing separately).
  • Commercial information such as purchase history
  • Professional or employment-related information
  • Inferences drawn to create profiles about preferences or behavior

These categories are illustrative rather than limiting. Data not listed may still qualify as personal information if it meets the definition. How these categories interact with selling and sharing obligations is explored further in our guide on selling and sharing under the CCPA.


Household and device-level data

One aspect that often surprises businesses is that personal information under the CCPA can relate to a household, not only an individual. Data linked to a shared device, IP address, or account used by multiple people may still be considered personal information.

Examples include:

  • A smart TV or streaming account used by a household
  • Shared IP addresses associated with home networks
  • Device identifiers used by multiple family members

A more specific example would be as follows: a streaming service tracks viewing activity at the account or device level for a shared household. Even when individual users are not named, this data may still be considered personal information if it relates to a household.

Household-level data is especially relevant for connected devices, streaming services, and shared environments.


Online identifiers and tracking data

Many online identifiers qualify as personal information under the CCPA when they can reasonably be linked to a consumer or household. The statute’s definition of personal information expressly includes identifiers and unique identifiers that can be used to recognize a consumer, device, or household over time.

In practice, this means that technical identifiers are not excluded simply because they do not contain a person’s name or contact details. When these identifiers are persistent, reusable, or combined with other data, they may allow a business to recognize or profile a consumer or household and therefore fall within the CCPA’s definition of personal information.

This may include:

  • Cookies and similar tracking technologies
  • Mobile advertising identifiers (such as MAIDs)
  • Browser fingerprints or probabilistic identifiers
  • Analytics or measurement identifiers tied to repeat interactions

For example, a marketing website uses analytics and advertising cookies to recognize returning visitors and build usage profiles over time. Even if the business does not collect names or email addresses, these identifiers may qualify as personal information when they can be reasonably linked to a consumer or household.

Whether a specific identifier qualifies as personal information depends on how it is used and managed. Factors commonly considered include whether the identifier is persistent, whether it is associated with usage history or profiles, and whether it can reasonably be linked to a consumer or household on its own or in combination with other data.

These identifiers are often evaluated alongside cookie and tracking disclosures, which are covered in more detail in our CCPA and online tracking resources.

Inferred and derived data

The CCPA also covers inferences drawn from personal information. Inferred data includes profiles or predictions created to reflect preferences, interests, or behavior.

Examples include:

  • Marketing segments
  • Interest profiles
  • Risk or engagement scores

For example, a business assigns interest categories or engagement scores to users based on browsing behavior. These inferred profiles may still qualify as personal information when they can be linked back to a consumer or household.

Even when the inference itself does not directly identify a person by name, it may still be personal information if it can be linked back to a consumer or household.


What is not considered personal information under the CCPA

Not all data collected by a business qualifies as personal information under the CCPA. Certain types of data can fall outside the definition of personal information when specific statutory conditions are met. Whether an exclusion applies depends on how the data is created, handled, and safeguarded in practice.

Common categories that may fall outside the definition include:

Aggregated information

Aggregated information refers to data that relates to a group or category of consumers and cannot reasonably be linked to any individual consumer or household, including through a device.
For data to be considered aggregated, it must be processed in a way that prevents it from being associated with a specific person or household, even when combined with other data reasonably available to the business. If aggregation still allows identification at the individual or household level, the data may remain personal information under the CCPA.

Deidentified information

Deidentified information may fall outside the definition of personal information when it cannot reasonably be linked to a particular consumer or household, and when the business has implemented reasonable measures designed to prevent reidentification.

Whether data qualifies as deidentified depends not only on how it is transformed, but also on the controls and safeguards in place to reduce the risk of reidentification. Simply removing obvious identifiers or labeling data as “deidentified” is not sufficient if the data can still be linked back to a consumer in practice.

Publicly available information

Publicly available information may be excluded when it is lawfully made available from government records, or when a business has a reasonable basis to believe the information has been lawfully made available to the general public by the consumer or through widely distributed media.

Information that is merely accessible online, inferred, or shared outside these contexts may still qualify as personal information depending on how it is collected and used.

Why these distinctions matter

These exclusions are conditional, not automatic. Data that appears aggregated, deidentified, or public at first glance may still qualify as personal information if it can be reasonably linked back to a consumer or household.

As a result, businesses often evaluate not only the data itself, but also:

  • Whether reidentification is reasonably possible
  • How the data is combined with other datasets
  • What safeguards are in place to limit linkage

Misapplying these exclusions can lead to incomplete disclosures or incorrect assumptions about whether CCPA obligations apply.


Personal information versus sensitive personal information

Some personal information may also qualify as sensitive personal information under the CPRA. That subset carries additional requirements, which are explained separately in our guide on sensitive personal information under the CPRA. Sensitive personal information is a subset of personal information that carries additional restrictions and consumer rights.

While this article focuses on personal information generally, businesses should be aware that certain data types fall into this separate category and may trigger additional obligations. Sensitive personal information is addressed in a dedicated guide.

Why the definition matters for businesses

Understanding what qualifies as personal information under the CCPA affects multiple operational areas, including:

  • Privacy notices and disclosures
  • Cookie and tracking assessments
  • Data mapping and inventory efforts
  • Data subject request workflows

Misclassifying data can lead to incomplete disclosures or missed obligations, particularly when new tracking technologies or analytics tools are introduced.


Where tools and platforms can help

Once businesses understand how broadly personal information is defined under the CCPA, the next challenge is maintaining visibility into how that data is actually collected, used, and disclosed over time. This is especially relevant for online environments where identifiers, tracking technologies, and inferred data can change as websites and vendors evolve.

Platforms like Clym provide tools that support privacy operations connected to these definitions, without replacing legal analysis or determining scope on their own. Relevant capabilities include:

  • Cookie Scanner: Helps teams identify cookies, trackers, and similar technologies present on a website. This can support assessments of whether online identifiers and tracking data qualify as personal information in practice.
  • Consent Widget: Provides a way to present privacy choices to website visitors and collect preference signals related to tracking and data use, which is relevant when personal information is collected through cookies or similar technologies.
  • Privacy & Cookie Policy Management: Supports the creation, updating, and publication of privacy and cookie notices, helping align disclosures with how personal information categories are described and used.
  • DSAR management workflows: Provide structured intake and handling of consumer rights requests, which is particularly important once data qualifies as personal information under the CCPA.
  • Governance Portal and Control Center: Offer centralized visibility into privacy-related configurations, documentation, and workflows across domains.

These tools can help teams operationalize how personal information definitions translate into day-to-day processes, especially as data practices, vendors, or tracking technologies change.


Next steps

Understanding what qualifies as personal information is essential for determining scope, drafting accurate disclosures, and handling consumer rights requests. To see how these concepts connect across applicability, consumer rights, cookies, and enforcement, explore the full CCPA compliance guide 2026 for businesses. To explore how personal information affects coverage decisions, see our CCPA applicability guide. For related topics, review guides on selling and sharing, cookies and tracking, and sensitive personal information.

FAQs about personal information under the CCPA

Personal information under the CCPA includes any data that can reasonably be linked to a California resident or household, directly or indirectly. This may include identifiers, online activity, device data, and inferred information.

Yes. An IP address is personal information when it can reasonably be linked to a consumer or household, such as when it is persistent or combined with other identifiers.

Yes. Email addresses are commonly considered personal information because they directly identify or relate to an individual.

Cookie data may be personal information when it is persistent or can reasonably be linked to a consumer or household through tracking or profiling.

Yes. Hashed or pseudonymized data may still be considered personal information if it can reasonably be linked back to a consumer or household. Hashing or pseudonymization reduces direct identifiability, but it does not automatically take data outside the scope of the CCPA. When a business retains the ability to reverse the process, match hashes, or otherwise reconnect the data to an individual or household, the data generally remains personal information. Hashed or pseudonymized data may fall outside the definition only when it satisfies the CCPA’s deidentified information standard, meaning it cannot reasonably be linked to a consumer or household and reasonable safeguards are in place to prevent reidentification.

Device identifiers, browser fingerprints, and similar technical data may be considered personal information when they can be reasonably linked to a consumer or household through persistence, profiling, or combination with other data.

Analytics and usage data may qualify as personal information when they relate to identifiable users or households, especially when tied to persistent identifiers or profiles.

Publicly available information can be excluded when it is lawfully made available from government records, or when a business has a reasonable basis to believe it is lawfully made available to the general public by the consumer or from widely distributed media.

Certain types of data can fall outside the definition of personal information when specific statutory conditions are met.

Examples include:

  • Aggregated information that cannot reasonably be linked to an individual consumer or household, including through a device
  • Deidentified information that cannot reasonably be linked to a consumer or household and is subject to reasonable measures designed to prevent reidentification
  • Publicly available information that is lawfully made available from government records, or that a business has a reasonable basis to believe was lawfully made available to the general public by the consumer or through widely distributed media

These exclusions are conditional, not automatic. Whether data falls outside the definition depends on how it is handled, combined, and safeguarded in practice.

When it is unclear whether data qualifies as personal information, businesses often evaluate how the data is used, whether it can be linked to individuals or households in practice, and whether reasonable safeguards prevent reidentification.

Alex Margau

Content Manager

Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.

Find out more about Alex

Related articles