The term “personal information” is defined within the CCPA in a similar, but not identical, manner to the term “personal data” within the GDPR. The following provides a side-by-side comparison of the two terms:
While courts and the California Attorney General have yet to provide interpretative guidance concerning the scope of “personal information” under the CCPA, or to indicate the extent to which they will interpret that term consistently with the interpretations made by European supervisory authorities of the term “personal data,” one potentially significant differentiator is the inclusion of the term “reasonably” in the definition. A strong argument could be made that the inclusion of this word was intended to remove from the scope certain types of information which have been treated as “personal data” in Europe. For example, while European regulators have suggested that data which is hashed, or salted and hashed, would still fall within the definition of “personal data” because there remains a theoretical possibility that the data could be re-identified,1 a California court could determine that such information falls outside the scope of the CCPA as it cannot be “reasonably” linked to a consumer.