The California Consumer Privacy Act uses one of the broadest definitions of personal information in any US privacy law. It covers data that identifies, relates to, describes, or could reasonably be linked to a specific consumer or household - and that last part is unique to California, meaning even data tied to a shared device qualifies. For website owners, the question is which categories your site actually collects. A single analytics cookie can touch three or four at once.
How the CCPA Defines Personal Information
Section 1798.140(v) of the CCPA defines personal information as any data that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." It captures not just obvious identifiers but also behavioural data, device fingerprints, and inferences drawn from other collected data.
The inclusion of "household" means shared-device data qualifies even when no single person is identified. The phrase "reasonably capable of being associated with" sets a lower bar than requiring direct identification. And the CCPA explicitly lists cookies, pixel tags, and beacons as identifiers within its statutory text. Publicly available government records, de-identified data, and aggregate consumer information are excluded.
The 11 Categories of Personal Information Under the CCPA
The CCPA organises personal information into 11 enumerated categories, codified in Section 1798.140(v)(1). Businesses must disclose which they collect, sell, or share in their privacy policy and notice at collection.
| Category | Examples | Collected via Cookies/Tracking? |
|---|---|---|
| 1. Identifiers | Name, email, IP address, account name, cookie ID, device identifier | Yes - cookie IDs, IP addresses, device identifiers |
| 2. Customer records | Name, signature, address, phone, bank or credit card number, insurance or medical information | Rarely - typically collected via forms, not cookies |
| 3. Protected classifications | Race, religion, gender, sexual orientation, age, disability, nationality | Indirectly - if inferred from browsing patterns or ad targeting |
| 4. Commercial information | Purchase records, products viewed or considered, shopping cart contents | Yes - e-commerce tracking cookies, remarketing pixels |
| 5. Biometric information | Fingerprints, facial recognition data, voiceprints, iris scans, keystroke patterns | Rarely via standard websites |
| 6. Internet or network activity | Browsing history, search history, interactions with a website or advert | Yes - analytics cookies, ad pixels, session recordings |
| 7. Geolocation data | GPS coordinates, IP-based location, Wi-Fi triangulation | Yes - IP geolocation, location-based advertising |
| 8. Sensory data | Audio, video, thermal, olfactory, or similar recordings | Occasionally - session replay tools that record scrolling and clicks |
| 9. Professional or employment data | Job title, employer, work history, performance reviews | Rarely - more common in HR systems and B2B lead enrichment |
| 10. Education information | School records, grades, student status (non-public, as defined by FERPA) | Rarely via standard websites |
| 11. Inferences | Consumer profiles reflecting preferences, behaviour, psychological trends, predispositions, attitudes | Yes - ad platforms and analytics tools routinely create audience segments and interest profiles |
Categories 1, 4, 6, 7, and 11 are the ones most website owners encounter through cookies. A typical stack with Google Analytics, a Meta Pixel, and a remarketing tag touches all five.
Sensitive Personal Information: The CPRA Addition
The California Privacy Rights Act (CPRA), which amended the CCPA and took effect on 1 January 2023, introduced a higher-risk sub-category called sensitive personal information (SPI). This concept is similar to the GDPR's special categories of data, though California's version includes some items the GDPR does not.
SPI under the CPRA includes government identifiers, financial credentials, precise geolocation, racial or ethnic origin, religious beliefs, trade union membership, private communications, genetic data, biometrics, health information, sexual orientation data, and neural data (added by a 2024 amendment).
Businesses that collect SPI must display a "Limit the Use of My Sensitive Personal Information" link or combine it with the "Do Not Sell or Share" link. For most standard websites, cookie categories like analytics and marketing do not typically collect SPI. The exception is precise geolocation: GPS-level coordinates (not city-level IP approximations) qualify as sensitive.
What Cookies and Tracking Technologies Collect Under the CCPA
Cookies are explicitly named as identifiers in the CCPA's statutory text. The law treats cookie data the same way it treats a name or email address - as personal information subject to disclosure, access, and deletion rights.
Google Analytics (_ga, _gid) touches identifiers, internet activity, and geolocation - plus inferences if you use audience segments. Meta Pixel (_fbp) collects identifiers, internet activity, commercial information (purchase tracking), and geolocation. Session replay tools (Hotjar, FullStory) capture internet activity and may record sensory data depending on configuration.
A cookie scan is the fastest way to map which categories your tracking technologies touch. Guessing incorrectly in a CCPA enforcement investigation is not a defence.
CCPA vs GDPR: Comparing Data Classification Approaches
The CCPA and the GDPR both cast a wide net, but they structure classifications differently. The GDPR defines personal data broadly under Article 4(1) and carves out special categories under Article 9, rather than enumerating 11 fixed categories.
| Feature | CCPA/CPRA | GDPR |
|---|---|---|
| Definition scope | Consumer or household | Identified or identifiable natural person |
| Enumerated categories | 11 statutory categories | No fixed list - broad definition plus special categories under Article 9 |
| Sensitive data tier | Sensitive personal information (CPRA) | Special categories of data (Article 9) |
| Cookies explicitly named | Yes - listed as identifiers in the statute | Not explicitly, but covered via the ePrivacy Directive and EDPB guidance |
| Consent model for cookies | Opt-out (with opt-in for SPI and minors) | Opt-in (prior informed consent) |
| Household data included | Yes | No |
| Inferences as a category | Yes - explicitly listed as Category 11 | Not a standalone category, but profiling is regulated under Article 22 |
| Maximum penalty | $2,663 per violation / $7,988 per intentional violation (2025 thresholds) | Up to 20 million EUR or 4% of global annual turnover |
The key practical difference: under the GDPR and ePrivacy Directive, non-essential cookies require prior opt-in consent. Under the CCPA, cookies can fire by default, but consumers must be able to opt out of the sale or sharing of their personal information, and you must honour GPC browser signals.
How to Classify and Map Your Website's Data
Data classification is not a one-off exercise. New cookies appear when you add widgets, swap analytics providers, or embed social feeds. Running a classification on a schedule keeps your privacy disclosures accurate and your consumer rights responses defensible.
Step 1: Audit your cookies and tracking scripts
Use a cookie scanner to identify every cookie, pixel, and script on your site. Kukie.io's scanner detects cookies across all pages and groups them by purpose and provider.
Step 2: Map each cookie to a CCPA category
For each cookie or tracker, determine which of the 11 categories it touches. A single cookie often spans multiple categories. Document these mappings in a data inventory.
Step 3: Identify any sensitive personal information
Check whether any tracking technologies collect precise geolocation, biometric data, or other SPI triggers. If so, you need the "Limit the Use" link.
Step 4: Update your privacy disclosures
Your privacy policy must list the categories collected, the sources, the business purposes, and the third parties involved. The CCPA requires updates at least every 12 months.
Step 5: Implement opt-out mechanisms
Provide a "Do Not Sell or Share My Personal Information" link and honour GPC signals. If you collect SPI, add the "Limit the Use" link as well.
Enforcement Is Accelerating
The CPPA reported in September 2025 that hundreds of investigations were in progress, many targeting businesses not yet aware of the scrutiny. Notable enforcement actions include the Sephora settlement ($1.2 million, 2022) for failing to honour opt-out requests and GPC signals, DoorDash ($375,000, 2024) for sharing customer data without proper notice, and Tractor Supply ($1.35 million, 2025) for non-functional opt-out forms, outdated privacy policies, and inadequate service provider contracts.
Since January 2025, the CPPA applies inflation-adjusted penalties: up to $2,663 per unintentional violation and $7,988 per intentional violation or violations involving minors' data. Each affected consumer can count as a separate violation, so a single compliance failure affecting thousands of California visitors can escalate into a seven-figure penalty.
Frequently Asked Questions
How many categories of personal information does the CCPA define?
The CCPA defines 11 categories of personal information in Section 1798.140(v)(1). These range from direct identifiers (names, IP addresses, cookie IDs) to inferences drawn from other collected data. Businesses must disclose which categories they collect in their privacy policy.
Are cookies considered personal information under the CCPA?
Yes. The CCPA explicitly lists cookies, pixel tags, and beacons as identifiers within its definition of personal information. Any cookie that assigns a unique identifier to a visitor - such as Google Analytics' _ga cookie - qualifies as personal information under Category 1 (identifiers).
What is the difference between personal information and sensitive personal information under the CCPA?
Personal information is the broad category covering any data reasonably linkable to a consumer or household. Sensitive personal information (SPI), introduced by the CPRA, is a subset that includes higher-risk data such as government IDs, financial credentials, precise geolocation, biometric data, and information about health or sexual orientation. Consumers have the additional right to limit SPI use.
Does the CCPA require opt-in consent for cookies like the GDPR does?
No. The CCPA follows an opt-out model for most data collection. Cookies can fire by default, but businesses must provide a "Do Not Sell or Share My Personal Information" link and honour Global Privacy Control signals. Opt-in consent is only required for selling or sharing data belonging to consumers under 16 and for certain uses of sensitive personal information.
What CCPA categories does Google Analytics data fall into?
Google Analytics data typically falls into at least three CCPA categories: identifiers (the _ga client ID), internet or network activity (pages visited, session duration, referral sources), and geolocation data (IP-based location). If you build audience segments or remarketing lists, it also generates data in the inferences category.
How often must a business update its CCPA data classification disclosures?
The CCPA requires businesses to update their privacy policy at least every 12 months with current information about the categories of personal information collected, the sources, the purposes, and the third parties involved. Failure to do so was cited as a violation in the CPPA's 2025 enforcement action against Tractor Supply Company.
Can household data collected through shared devices qualify as personal information?
Yes. The CCPA's definition uniquely extends to data linked to a household, not just an individual. This means cookies or tracking data associated with a shared device or home IP address can qualify as personal information even if no specific person is identified - a distinction the GDPR does not make.
Get Clear on What Your Website Collects
Kukie.io identifies every cookie on your site, maps it to the right category, and gives your visitors a clear way to opt out.
