What Personal Information Must Be Redacted Under the CCPA?

The CCPA defines personal information across 11 categories under Section 1798.140(v), all of which must be redacted from documents when responding to consumer access requests or disclosing records to third parties. The California Privacy Rights Act (CPRA) added a twelfth designation, Sensitive Personal Information, with stricter handling requirements.

The 11 categories

1. Identifiers: Name, alias, postal address, IP address, email address, account name, Social Security number, driver's license number, passport number.
2. Protected classification characteristics: Race, religion, marital status, medical condition, disability, sexual orientation, veteran status, genetic information.
3. Commercial information: Purchase history, records of personal property, consuming tendencies.
4. Biometric information: Fingerprints, facial imagery, voice recordings, DNA, iris scans.
5. Internet or network activity: Browsing history, search history, interaction with websites or ads.
6. Geolocation data: Precise physical location.
7. Sensory data: Audio, visual, thermal, or olfactory information.
8. Professional or employment information: Job history, performance evaluations.
9. Non-public education information: Student records as defined under FERPA.
10. Inferences: Profiles drawn from any of the above reflecting preferences, behavior, or psychological traits.
11. Sensitive Personal Information (SPI): Added by the CPRA. Includes account credentials combined with security codes, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of mail and messages, genetic and biometric data used for identification, health information, and sex life or sexual orientation data.

How this differs from HIPAA's identifier list

HIPAA specifies exactly 18 Safe Harbor identifiers tied specifically to patient health information. The CCPA's scope is broader and applies across industries, not just healthcare. A single business contract can contain data from multiple CCPA categories simultaneously: identifiers, commercial information, and inferences may all appear in the same document.

What redaction must look like

Redacting CCPA-covered information requires permanent removal from the document's file structure, not a visual overlay. According to the Section 1798.150 safe harbor, "redacted" means the data cannot be recovered through copy-paste, text extraction, or metadata inspection. Black boxes drawn over text in a PDF editor do not meet this standard. For a full breakdown of redaction workflow requirements, see our CCPA redaction requirements guide.

Try it free: RedactifyAI detects all 11 CCPA personal information categories across PDFs, Word documents, and scanned images and removes them permanently. Try it at redactifyai.com. Free tier available, no card required.