CPRA Series: Sensitive Personal Information
Monday, December 14, 2020
CPRA Series: Sensitive Personal Information
Print Mail Download info_icon_img/>i

The California Privacy Rights Act of 2020 (CPRA) becomes operative on January 1, 2023. Among its numerous amendments and additions to the existing California Consumer Privacy Act (CCPA), the CPRA expands the definition of Personal Information. Specifically, it adds the category of Sensitive Personal Information. This new category tracks the EU General Data Protection Regulation’s definition of Special Category Data, adds data elements commonly viewed in the U.S. as sensitive, and introduces a new twist by including the contents of a consumer’s mail, email, and text messages.

The CPRA broadly defines Sensitive Personal Information as Personal Information that is not publicly available and reveals:

  • a consumer’s social security, driver’s license, state identification card, or passport number;

  • a consumer’s account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

  • a consumer’s precise geolocation;

  • a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;

  • the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;

  •  a consumer’s genetic data; and

  • the processing of biometric information for the purpose of uniquely identifying a consumer;

  •  personal information collected and analyzed concerning a consumer’s health; or

  • personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The addition of this new category of Personal Information creates two primary obligations for businesses. First, a business will need to include Sensitive Personal Information in its notice at collection to consumers, including job applicants and employees, and in any online privacy policy or CA specific description of consumer rights. Under the CPRA, this notice must now also disclose the categories of Sensitive Personal Information to be collected, the purposes for which they will be used, whether this information will be sold or shared, and the length of time the business intends to retain each category of Sensitive Personal Information.

Second, when a business collects or processes Sensitive Personal Information for the purpose of “inferring characteristics” about a consumer, it may only do so to provide services or goods requested by the consumer, for limited purposes enumerated by the CPRA, and as authorized by future implementation regulations. If the business intends to use or disclose this information for any other purpose, it must provide the consumer with notice of the intended use or disclosure and the consumer’s right to limit this use or disclosure. To facilitate exercising this right, a business must provide the consumer with an opt out mechanism entitled “Limit the Use of My Sensitive Personal Information.” Sensitive Personal Information that is not collected or processed for the purpose of inferring a consumer’s characteristics is not subject to this right to limit its use or disclosure.

Although the GDPR and CPRA share similar definitions of sensitive data, there are two significant differences worth noting. The GDPR prohibits collecting and processing Special Category Data absent receiving the explicit, informed, affirmative (i.e., opt in) consent of the individual to do so, or pursuant to limited circumstances enumerated in the GDPR. In contrast, the CPRA permits collecting and processing Sensitive Personal Information. However, the consumer may limit (i.e., opt out of) the use and disclosure of this data when a business collects it for the purpose of inferring the consumer’s characteristics and will use or disclose it beyond what is necessary to provide requested service or goods to the consumer, and as narrowly permitted by the CCPA and any implementation regulations.

In anticipation of January 1, 2023, preparations should include revisiting or expanding existing data mapping activities to identify the collection of Sensitive Personal Information, reviewing the purpose for collecting this information and how the business uses or discloses it, and determining whether its use or disclosure is permitted or authorized by the CPRA. Similar to preparations for the CCPA, this will require an interdisciplinary team with a broad understanding of business operations. Any team should include members familiar with the business’ advertising, marketing, and website data collection activities to help identify where Sensitive Personal Information may be collected for the purpose of inferring consumer characteristics.

Read More:

CPRA Series: New, Expanded and Modified Consumer Rights

CPRA Series: Impacts On Notice At Collection And Privacy Policy

Prop 24 (California Privacy Rights Act) Extends CCPA’s Anti-Discrimination/Retaliation Provision to Employees, Applicants, and Independent Contractors

California Passes Prop 24: Here Comes CCPA 2.0

Jackson Lewis P.C. © 2024

Current Public Notices

Current Legal Analysis

More from Jackson Lewis P.C.

Rhode Island to Increase Length of Temporary Caregiver Insurance Benefits
by: Matthew C. Chambers , Jonathan R. Shank
Health Plan Hygiene Part 1: A Spoonful of Sugar Helps the Medicine Go Down
by: Natalie M. Nathanson
Top Five Labor Law Developments for June 2024
by: Jonathan J. Spitz , Richard F. Vitarelli
The Broadening Data Security Mandate: SEC Incident Response Plan and Data Breach Notification Requirements
by: Damon W. Silver , Melissa Pascualini
The End of Chevron Deference and the Anticipated Impact on Withdrawal Liability
by: Robert R. Perry , David M. Pixley
DHS Extends Temporary Protected Status for Yemen to Mar. 3, 2026
by: Forrest G. Read IV
Labor Board Issues New Election Rules and Makes It Easier for Workers to Unionize Without a Vote
by: Jonathan J. Spitz , Richard F. Vitarelli
The U.S. Supreme Court Overturned Chevron: What That Means for the NLRB
by: Lorien E. Schoenstedt , Jonathan J. Spitz
White House Extends Eligibility for Deferred Enforced Departure for Liberians
by: Forrest G. Read IV
Supreme Court Reaffirms Federal Courts Lack Authority to Review Visa Denials
by: Carolina Guiral Cuervo

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins