| PI Category (CPRA) | Examples | Business/Commercial Purposes | Categories of Recipients | Sold? | Shared for Ads? | Retention (period or objective criteria) |
|---|---|---|---|---|---|---|
|
Identifiers |
Name, email, phone, loyalty ID, device IDs |
Account setup, customer service, fraud/security, offers |
Service providers (CRM, email), payment processors, security & fraud vendors |
No |
Yes |
Account lifecycle + 24 mo after last interaction; security logs 12 mo |
|
Customer Records |
Address, DOB (for KYC/age gating) |
Reservations, KYC, regulatory compliance |
Service providers (KYC, reservations), government regulators as required |
No |
No |
7 yrs for gaming/tax compliance; otherwise 24 mo |
|
Commercial Information |
Purchases, reservations, comps, win/loss |
Loyalty management, analytics, offers |
Payment/loyalty processors, analytics |
No |
Yes |
Transaction records 7 yrs; loyalty history 5 yrs from last activity |
|
Internet/Network Activity |
Pages viewed, device/browser, session logs |
Site operations, security, analytics, ad personalization |
Analytics, advertising technology |
No |
Yes |
7 yrs (analytics); security logs 12 mo |
|
Geolocation |
On-prem app location, IP-based city/region |
Wayfinding, fraud/security, localized offers |
Mapping/analytics providers |
No |
Yes |
Precise: 24 hrs-30 days; coarse: 13 mo |
|
Inferences |
Segments (e.g., preferred games) |
Personalization, offers |
None/Service providers (only as processor) |
No |
Yes |
24 mo |
|
Audio/Visual |
CCTV on property |
Security/safety, incident response |
Security providers, law enforcement (as required) |
No |
No |
30-90 days unless flagged for incident |
| SPI Category | Examples | Use (No inference by default) | Limit SPI Available? | Retention |
|---|---|---|---|---|
|
Government IDs (for KYC) |
Driver license (viewed/scanned as required by law) |
Age/identity verification; regulatory compliance |
Not applicable if not used to infer characteristics |
As required by regulation then delete; no marketing use |
|
Financial Data |
Last-4 PAN, tokens; no full PAN/CVV stored |
Payment processing via PCI provider |
N/A |
Only transaction artifacts retained per PCI/finance policy |
|
Precise Geolocation |
App-based on-property location (if enabled) |
Wayfinding, queue mgmt., safety |
Yes (Limit SPI control) |
24 hrs-30 days (operational), then delete/de-ID |
|
Biometric (if any) |
Face/voice for access (if deployed) |
Access control/security only |
Yes |
Only as long as required for security; follow vendor deletion schedule |
|
Account Credentials |
Not collected/stored in plaintext |
N/A |
N/A |
Not stored in plaintext; rotate per policy |