With all the new data privacy regulations pioneering user privacy and safety, it's often difficult to figure out what all of their definitions mean. There are many long and technical explanations out there, but here we'll concisely define what personal data means under the California Consumer Privacy Act (CCPA) so you can focus on doing what you do best. » How do you address data privacy issues? Explore these solutions to common eCommerce data privacy issues↗
Defining Personal Information Under CCPA
Under CCPA, personal data is any information that identifies, relates to, or could reasonably be linked with a specific individual or their household. This includes inferences from other personal information that can be used to create a profile of an individual's preferences and characteristics. Here are some examples of personal information:
- Name (in part or full)
- Social security number
- Location information
- Biometric data
- Internet browsing activity
- Email addresses
- Records of past purchases
What Constitutes a Personal Data Breach Under CCPA?
With personal data defined, we can recognize when a data breach becomes a personal data breach and is subject to special regulations. In a personal data breach, data is stolen in a non-encrypted and non-redacted form containing the first name or first initial and name of individuals in combination with a variety of alternative data. Information found in a personal data breach includes:
- Social security number: This number uniquely identifies an individual and can be used to commit fraud.
- Medical/health insurance information: This information is very sensitive and usually specific to a person.
- Government-issued identification numbers: This includes driver's licenses, tax IDs, military IDs, and passport numbers.
- Financial account/card numbers: This is especially sensitive if breached in combination with security codes or passwords.
- Biometric data: A person's fingerprint, retina signature, and face are unique, although images are not considered a breach of personal data unless used for facial recognition purposes.
» Is a data breach different under GDPR? Discover how to stay GDPR compliant as a beginner eCommerce seller↗
Conclusion
In a nutshell, a personal data breach under CCPA is when information defined as personal data is accessed without authorization. To avoid penalties, ensure CCPA compliance and cookie consent for your Shopify store↗ yourself or partner with experts like PieEye↗. » Worried about remaining compliant with all the privacy laws? Explore PieEye's products↗ for your perfect solution
Personal Data vs. Publicly Available Information
One common point of confusion for eCommerce brands: not all information about your customers is personal data under CCPA. If information is publicly available—like a business contact listed on a company website—it's generally excluded from CCPA's definition. However, this exclusion has limits.
For your Shopify or BigCommerce store, this matters when you're building customer segments or running remarketing campaigns. If you collect someone's name and email from a public directory and then link it to their purchase history, you've now created a profile that combines public and non-public data. That combination becomes personal data subject to CCPA.
The safest approach: treat customer data as personal data unless you have documented proof it's from an official, publicly-accessible government source (like a business license database). Information your customers voluntarily give you during checkout, through a Klaviyo newsletter signup, or via a Meta Pixel conversion definitely qualifies as personal data.
Also remember that data becomes "publicly available" differently in different contexts. A customer's review on your product page is public within your store, but that doesn't mean it's exempt from CCPA protections just because it's on your website.
Sensitive vs. Non-Sensitive Personal Data
CCPA recognizes that not all personal data carries the same risk. While the law doesn't formally tier data into "sensitive" and "non-sensitive," the breach notification rules do. This distinction affects how you should prioritize your data security investments.
For eCommerce brands, non-sensitive personal data includes purchase history, browsing behavior tracked by Google Analytics, email addresses, and phone numbers. These are important to protect, but a breach of this data alone doesn't automatically trigger notification requirements under CCPA.
Sensitive personal data—like Social Security numbers, financial account numbers, or driver's license information—requires different handling. If you're running a luxury eCommerce brand that collects government ID for age verification or international shipping, or if you store payment card details (you shouldn't; use Stripe or PayPal instead), you're managing sensitive data.
The practical implication: your cookie banner on Shopify needs to clearly disclose what data collection tools you're using. If you're tracking with Meta Pixel and Google Analytics, customers need to know. If you're collecting payment or identity verification data, that disclosure becomes even more critical for your legal standing.
Consider conducting a data audit across your entire stack—from your email marketing platform to your analytics—to identify where sensitive data flows. This helps you justify your security measures and demonstrates good faith compliance if you're ever audited.
How CCPA Personal Data Applies to Marketing and Cookies
Your marketing stack—Klaviyo, Meta ads, Google Ads, email automation—all rely on personal data. Under CCPA, you need consent before you can collect or use personal data for these purposes in California.
A cookie banner alone isn't enough. You need to disclose what cookies and tracking technologies you're using and why. If you're using Google Analytics to track user behavior, that's collecting personal data. If you're using Meta Pixel to build retargeting audiences, that's personal data. If you're sending customer emails through Klaviyo based on purchase history, that's personal data use that requires proper documentation.
Many eCommerce brands assume their cookie banner covers everything. It doesn't. You also need a clear privacy policy, a way for customers to request their data, and a mechanism to delete data upon request. Your Shopify store's privacy settings should be configured to support these customer rights.
When you're managing personal data across multiple platforms and vendors, keeping track of what needs consent, what requires deletion capabilities, and what demands encryption becomes overwhelming. That's when automated compliance management becomes not just helpful—it becomes essential to your operations.