Artifact GuideUSPersonal And Sensitive Pi Categories

US CCPA Personal And Sensitive Pi Categories

Personal And Sensitive Pi Categories decisions under the US CCPA should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.

This guide converts official requirements into scope, evidence, ownership, and review decisions for practical implementation, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

This page maps US CCPA obligations for Personal And Sensitive Pi Categories to trigger conditions, accountable owners, required deadlines, evidence records, and review paths that product, legal, privacy, security, and compliance teams can apply.

Section 1

What should teams decide about Personal And Sensitive Pi Categories under the US CCPA?

Start by identifying what the CCPA treats as personal information and sensitive personal information. Personal information is information that identifies, relates to, or could reasonably be linked to a particular consumer or household, and the CCPA gives examples such as a name, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences about preferences and characteristics.

Sensitive personal information is a narrower set of personal information that includes social security numbers, driver's license numbers, financial account access information, precise geolocation, the contents of mail, email, and text messages, genetic data, biometric information used to identify a consumer, and information about health, sex life, sexual orientation, racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership. Personal information does not include publicly available information.

After the category is clear, decide whether the issue affects notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure. The useful answer should name the exact category, affected product or process, required action, owner, evidence, and escalation point.

  • List the exact personal information or sensitive personal information category in scope.
  • Record which role, product, system, customer group, or data flow is in scope.
  • Attach the source-linked rule, the owner, and the evidence field before approving the control.
  • Escalate uncertainty when the facts depend on thresholds, exemptions, cross-border activity, vulnerable users, or enforcement-sensitive wording.
Sources for this answer
California Civil Code section 1798.100
Supports the notice-at-collection rule requiring businesses to disclose personal-information and sensitive-personal-information categories, purposes, sale or sharing, and retention.
California Privacy Protection Agency FAQ - personal and sensitive personal information
Explains the CPPA's public-facing distinction between personal information, sensitive personal information, and the right to limit sensitive-information use.
California Civil Code section 1798.140
Provides the statutory definitions that determine whether data falls into CCPA personal-information or sensitive-personal-information categories.
Section 2

Who should own Personal And Sensitive Pi Categories, and what evidence should prove the decision?

Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.

Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.

  • Name one accountable owner and one reviewer for the Personal And Sensitive Pi Categories workflow.
  • Keep source screenshots or source links, decision notes, implementation tickets, and approval records together.
  • Use dated evidence for deadlines, notices, risk assessments, contracts, user journeys, and regulator-facing records.
  • Review the evidence after product changes, new markets, new vendors, enforcement updates, or material changes in the source text.
Sources for this answer
California Privacy Protection Agency FAQ
Supports evidence planning by identifying the CCPA rights tied to personal-information and sensitive-personal-information categories.
California Civil Code section 1798.100
Supports category evidence by requiring businesses to disclose purposes, sale or sharing status, and retention for each category.
CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations
Supports data-minimization evidence by tying CCPA category handling to reasonably necessary and proportionate collection, use, retention, and sharing.
Section 3

Which edge cases should teams check before relying on a Personal And Sensitive Pi Categories decision?

Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations.

Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.

  • Check whether the rule changes for minors, consumers, business users, public-sector bodies, regulated sectors, high-risk services, or cross-border transfers.
  • Separate binding law, regulator guidance, consultation material, standards, and enforcement commentary in the evidence record.
  • Do not rely on a previous answer if the data categories, user interface, vendor role, or contractual flow changed.
  • Track unresolved assumptions in an open-questions section and route legal interpretation points for review.
Sources for this answer
California Civil Code section 1798.100
Supports edge-case review when new category collection, incompatible secondary use, sale or sharing, or retention changes require updated notice.
California Privacy Protection Agency FAQ
Supports edge-case review by listing examples of sensitive personal information that require limit-use handling.
California Civil Code section 1798.140
Supports category boundary review because CCPA definitions decide whether records, identifiers, inferences, or sensitive data are in scope.
CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations
Supports boundary review when a collection or use is not reasonably expected by the consumer or needs separate consent.
Section 4

How should teams operationalize Personal And Sensitive Pi Categories with proportionate controls?

Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.

The output should be a threshold note, notice update, DSAR decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.

  • Create a short intake question that identifies the Personal And Sensitive Pi Categories scenario.
  • Map the answer to a required action, evidence field, owner, reviewer, and review date.
  • Link related artifact pages with descriptive anchors so users can move from scope to deadlines, controls, penalties, and templates.
  • Update the workflow when official source material changes or when internal evidence shows recurring exceptions.
Sources for this answer
California Civil Code section 1798.100
Operational support for mapping each personal-information category to purpose, retention, and compatibility controls.
California Privacy Protection Agency FAQ
Operational support for connecting sensitive-information categories to consumer limit-use choices.
California Civil Code section 1798.140
Operational support for classifying records against the statutory personal-information and sensitive-personal-information definitions.
Recommended next step

Turn US CCPA Personal And Sensitive Pi Categories into assigned work

This US CCPA guide turns Personal And Sensitive Pi Categories into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

Assessment workflow
Open Assessment Autopilot for US CCPA

Turn Personal And Sensitive Pi Categories into scoped questions, evidence fields, and review tasks.

Explore next step
Research workflow
Review US CCPA source evidence

Use Research Copilot to answer follow-up questions with cited source material.

Explore next step
Talk to Sorena
Talk through implementation

Review scope, evidence, owners, and the next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

California Civil Code section 1798.100
leginfo.legislature.ca.gov
Referenced sections
  • Operational support for mapping each personal-information category to purpose, retention, and compatibility controls.
"reasonably necessary and proportionate"
California Civil Code section 1798.100
leginfo.legislature.ca.gov
Referenced sections
  • Supports category evidence by requiring businesses to disclose purposes, sale or sharing status, and retention for each category.
"categories of sensitive personal information to be collected"
California Civil Code section 1798.140
leginfo.legislature.ca.gov
Referenced sections
  • Operational support for classifying records against the statutory personal-information and sensitive-personal-information definitions.
"sensitive personal information"
Related guides

Explore more topics

California CCPA/CPRA Opt Out Signal Workflow Guide
California CCPA/CPRA guidance for Opt Out Signal Workflow, with practical decisions, evidence, edge cases, and external source citations.
CCPA Global Privacy Control (GPC): team obligations and technical implementation
US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations.
How should teams decide whether US CCPA applies?
US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Applicability Test Guide
Practical guidance for the US CCPA applicability test, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Compliance Checklist
Practical guidance for the US CCPA checklist, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Compliance Guide
Practical guidance for the US CCPA compliance, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Consumer Rights Workflow Guide
US CCPA guidance for Consumer Rights Workflow, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Contract Classification Workflow Guide
US CCPA guidance for Contract Classification Workflow, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Dark Patterns Guide
US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Data Broker Crossover Guide
US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Deadlines and Compliance Calendar Guide
US CCPA guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Do not sell or share Guide
US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Do Not Sell Share Implementation Guide
US CCPA guidance for Do Not Sell Share Implementation, with practical decisions, evidence, edge cases, and external source citations.
US CCPA DSAR Verification Guide
US CCPA guidance for DSAR Verification, with practical decisions, evidence, edge cases, and external source citations.
US CCPA DSAR Workflow Guide
US CCPA guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Enforcement And Penalties Guide
US CCPA guidance for Enforcement And Penalties, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Financial Incentives Guide
US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations.
US CCPA GPC Signal Guide
US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Minors Guide
US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Notice at collection Guide
US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations.
US CCPA penalties and fines Guide
US CCPA guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Privacy Law FAQ
Practical guidance for the US CCPA FAQ, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Privacy Notices And Disclosures Guide
US CCPA guidance for Privacy Notices And Disclosures, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Privacy Policy Guide
US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Privacy Policy Template Guide
US CCPA guidance for CCPA Privacy Policy Template, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Requirements Guide
Practical guidance for the US CCPA requirements, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Risk And Cyber Audits Guide
US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Scope and Thresholds Guide
US CCPA guidance for Scope and Thresholds, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Service Provider Contractor And Third Party Contracts Guide
US CCPA guidance for Service Provider Contractor And Third Party Contracts, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Service Provider Contractor Contracts Guide
US CCPA guidance for Service Provider Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations.
US CCPA Thresholds Guide
US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations.
US CCPA vs CPRA Guide
US CCPA guidance for CCPA vs CPRA, with practical decisions, evidence, edge cases, and external source citations.
US CCPA vs GDPR Guide
US CCPA guidance for CCPA vs GDPR, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about consumer request verification under the CCPA?
US CCPA guidance for consumer request verification, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Dark Patterns under the US CCPA?
US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Data Broker Crossover under the US CCPA?
US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Do not sell or share under the US CCPA?
US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Financial Incentives under the US CCPA?
US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Minors under the California CCPA?
US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Notice at collection under the US CCPA?
US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Personal And Sensitive Pi Categories under the US CCPA?
US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Privacy Policy under the US CCPA?
US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Risk And Cyber Audits under the US CCPA?
US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations.
What should teams do about Service Provider And Contractor Contracts under the US CCPA?
US CCPA guidance for Service Provider And Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations.