Under the CPRA can a consumer object to a company using sensitive personal information for behavioral or targeted advertising?
The CPRA created a new sub-category of personal information that it labels “sensitive personal information.”[1] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, or sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct, ”at any time,” a business to “limit its use of the consumer’s sensitive personal information . . . .”[2]
The right to object to the continued use of sensitive personal information is not absolute. According to the CPRA, if a business receives an instruction to limit its use of sensitive personal information, the business is still permitted to use the sensitive personal information for some forms of advertising. Such advertising, however, must be “non-personalized” and can only be shown as part of a consumer’s “current interaction with the business.”[3] As a result, behavioral or targeted advertising that is personalized for a consumer may no longer be permitted.
Under the CPRA can a consumer object to a company using sensitive personal information for data analytics?
The CPRA created a new sub-category of personal information that it labels “sensitive personal information.”[4] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, or sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct ”at any time” a business to “limit its use of the consumer’s sensitive personal information . . . .”[5]
The right to object to the continued use of sensitive personal information is not absolute. According to the CPRA, if a business receives an instruction to limit its use of sensitive personal information, the business is still permitted to request that a company perform services on that same data to provide analytics on its behalf.[6]
Does the CPRA require data minimization with regard to the storage of information?
Yes.
Data minimization is not addressed by most privacy laws in the United States and was not mandated by the CCPA. Privacy laws in the United States that do touch upon data minimization generally do not require it; instead, they recommend it as a best practice or as a condition for achieving a safe harbor from allegations of improper security. For example, the New York Shield Act considers a business to be “deemed to be in compliance” with the requirement it develop reasonable safeguards to protect certain information if, among other things, the business “disposes of private information within a reasonable amount of time after it is no longer needed for business purposes….”[7]
Unlike the CCPA, the CPRA appears to contain a data minimization requirement. Specifically, the law states:
A business shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary for that disclosed purpose [for which it was collected].[8]
The data retention language of the CPRA is similar to the language contained within the European GDPR which permits a company to retain personal data for “no longer than is necessary for the purposes for which the personal data are processed.”[9]
The requirement that a company keep information for the least amount of time needed is often referred to as “storage limitation” and, by many privacy advocates, falls within the larger rubric of “data minimization.’
Under the CPRA can a consumer object to a company sharing sensitive personal information with AdTech companies for their use in constructing a consumer profile?
Yes.
The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [10] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, or sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct, ”at any time,” a business to “limit its use of the consumer’s sensitive personal information . . . .”[11]
The right to object to the continued use of sensitive personal information is not absolute. According to the CPRA, if a business receives an instruction to limit its use of sensitive personal information, the business is still permitted to use the sensitive personal information for some forms of advertising. Such advertising, however, must be “non-personalized” and the business is not permitted to disclose the sensitive personal information to third parties that intend to use it to “build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.”[12]
[1] CPRA, 1798.140(ae).
[2] CPRA, 1798.121(a).
[3] CPRA, 1798.121(a); 1798.140(e)(4).
[4] CPRA, 1798.140(ae).
[5] CPRA, 1798.121(a).
[6] CPRA, 1798.121(a); 1798.140(e)(5).
[7] New York Bus.Law § 899-bb(2)(a), (b)(ii)(C)(4).
[8] CPRA, 1798.100(a)(3).
[9] GDPR, Article 5(1)(e).
[10] CPRA, 1798.140(ae).
[11] CPRA, 1798.121(a).
[12] CPRA, 1798.121(a); 1798.140(e)(4).