CPRA countdown: New compliance obligations and challenges around “sensitive personal information”

A New (Broad) Category of “Sensitive Personal Information”

Under the CPRA, sensitive personal information is generally aligned with U.S. sentiment that some pieces of information are more private than others. While perspectives may differ on what makes information “sensitive,” the CPRA takes a broad approach. As defined, sensitive personal information means personal information relating to a California consumer that reveals:

• Social Security, driver’s license numbers, state identification card, and passport numbers;
• financial account, debit card, or credit card numbers in combination with required security or access codes, passwords, or credentials allowing access to an account;
• account login in combination with required security or access codes, passwords, or credentials allowing access to the account;
• precise geolocation (i.e., information used or intended to be used to locate a consumer within a geographic area equal to or less than approximately 1/8 square mile); 
• information about racial or ethnic origin, religious beliefs, philosophical beliefs, or union membership; 
• contents of consumers’ mail, emails, or text messages, unless the business is the intended recipient of that information; and
• genetic data. 

Sensitive personal information also includes:

• the processing of biometric information for the purpose of uniquely identifying a consumer; and
• information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation.

As with personal data generally, publicly available information does not fall under the definition of sensitive personal information. (See our previous blog post for more detail on when information is considered “publicly available.”)

Determining what Data Constitutes Sensitive Personal Information

While there are many categories specified within the definition of sensitive personal information, businesses should take stock of the breadth of the definition. 

First, the law includes several, though not all, elements of “special categories of personal data” found in the EU General Data Protection Regulation (GDPR). For example, while both GDPR and CPRA include racial or ethnic origin and biometric data under these definitions, the GDPR also includes categories like political opinions. On the other side, the CPRA includes categories of sensitive personal information that do not appear in the GDPR’s Article 9 list of special categories of personal data, such as financial account information.  
 
Second, within the first group of categories above, sensitive personal information is not limited only to the categories specified but rather “information which reveals” these categories. Similarly, personal information “collected and analyzed” concerning a consumer’s health or sex life, or with respect to biometric information, for the purpose of identifying a consumer may constitute sensitive personal data. These modifiers indicate that certain information may in fact be sensitive personal information, even if it would not immediately seem to fit squarely within a category. For example, certain purchasing habits may be enough to “reveal” an individual’s racial or ethnic origin or religious beliefs. 

These broad definitions also leave significant leeway for the forthcoming California Privacy Protection Agency to establish regulations concerning what may or may not be within the scope of the definition. Additionally, some of these new categories have companion CPRA definitions. For example, the law defines both “precise geolocation” and “biometric information.” 

Given the broad definition, which is likely to be expanded, California businesses are likely to spend considerable effort under the CPRA analyzing whether their data sets constitute sensitive personal information and are subject to the resulting heightened obligations.  

Notice at Collection for Sensitive Personal Data 

The CPRA imposes several responsibilities on businesses that process sensitive personal data. While some of these are straightforward in concept, they require significant forethought on the part of businesses to get right. 

For example, a business must include in its notice at collection the categories of sensitive personal information to be collected, the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared (as the CPRA defines those terms). 

Consumer Rights to Limit the Use and Disclosure of Sensitive Personal Information 

The CPRA also enhances the individual rights granted to California residents with respect to their sensitive personal information. 

First, a consumer may direct a business to limit the use of the consumer’s sensitive personal information to a limited set of purposes expressly prescribed by the CPRA or implementing regulations. Specifically, if a consumer requests that a business limits the use of their sensitive personal information, the CPRA prohibits the business from using the sensitive personal information, except for the following permitted purposes:

• the purposes necessary to perform the services or provide the goods reasonably expected by an average consumer who requests the goods or services;
• helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes;
• for short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business;
• to perform services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business; and
• to undertake activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

The list of permitted purposes may be expanded by the California Privacy Protection Agency, which is charged with promulgating regulations to determine any additional purposes for which a business may use or disclose a consumer’s sensitive personal information.

Obligations to honor these requests extend not only to businesses but also to service providers and contractors who are authorized to collect personal information on behalf of the business. Those service providers and contractors may not use the sensitive personal information for any other purpose after receiving instructions from a business and to the extent they have actual knowledge that the personal information is sensitive personal information. 

The new “use limitation” right overlaps to an extent with the CCPA’s existing right to opt out of “sales” of personal information and the CPRA’s new right to opt out of “sharing” personal information. Taken together, to the extent businesses engage in any of those activities, they must enable consumers to opt out of the sale and/or sharing of personal information (including sensitive personal information) and enable consumers to limit the use of their sensitive personal information to the limited purposes prescribed in the statute and regulations. Specifically, businesses that use or disclose consumers’ sensitive personal information for purposes other than those authorized by the CPRA must:

1. provide a link on their homepage(s) entitled “Limit the Use of My Sensitive Personal Information,” which enables consumers to exercise the rights described above;
2. provide a link on their homepage(s) that both accomplishes #1 and allows a consumer to opt out of the sale or sharing of “personal information;” or
3. respect an opt‐out preference signal sent with the consumer’s consent by a platform, technology or mechanism to accomplish #1, #2 or both, as relevant and prescribed by regulations.

Note that the CPRA provides an exception for “sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer.” That information will not be subject to the additional rights and restrictions associated with sensitive personal information under the law but will instead be treated as other “personal information” for purposes of the CPRA. 

Businesses can expect regulations to be promulgated on this topic; the law calls for the California privacy regulator to “ensur[e] that businesses do not use [this] exemption for the purpose of evading consumers’ rights to limit the use and disclosure of their sensitive personal information.” 

Action Items for Businesses 

Data Mapping
Businesses should undertake efforts to understand fully the types of data they collect and use in order to make these disclosures as accurate as possible. While many organizations conducted data mapping exercises in preparation for CCPA obligations, the broad definition of sensitive personal information and the new consumer rights associated with it make it critical for businesses to understand what types of data they collect, use and disclose may be considered sensitive. 

Exceptions Analysis 
As part of the data mapping exercise, businesses should consider too whether the sensitive information they collect and use may be exempt from CPRA obligations. For example, personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act is not subject to the CPRA, except for provisions regarding consumers’ right of private action. Similarly, the CPRA does not apply to protected health information that is collected by a covered entity or business associate subject to HIPAA. Given that these entities would otherwise maintain a significant amount of sensitive information, a careful exception analysis to determine the extent of the CPRA obligations.  

Examine Uses and Disclosure of Sensitive Personal Information
Businesses should be prepared to honor consumers’ rights to limit the use and sharing of their sensitive personal data. To appropriately limit these uses and offer consumers a mechanism to exercise these rights, businesses will need to take stock of the ways in which their organizations use and disclose sensitive personal information (keeping in mind that some information which may not appear sensitive on its face could still fall under the broad definitions in the statute). This includes considering whether the business uses sensitive personal information so as to infer characteristics about individual consumers. 

In addition, businesses should consider whether their uses of sensitive personal information fall within the purposes explicitly permitted by the statute or implementing regulations (such as to undertake activities to verify or maintain the quality or safety of a service or device). 

Plan for Transparency Requirements and Limitation Mechanisms
After carrying out the steps above, businesses may, in some cases, wish to consider the costs and benefits to the business of continuing to collect sensitive personal information that is not core to their products and services. 

If businesses that handle sensitive personal information and use it to infer characteristics about consumers wish to continue using it in ways other than the specific permitted purposes described above, they should be prepared to build a new “Limit The Use of My Sensitive Personal Information” website link for consumers to exercise their rights. Alternatively, businesses that already provide a “Do Not Sell My Personal Information” link should prepare to include sensitive personal information use and sharing as part of the request process for sale opt-outs. In addition to creating or updating the link, businesses must also develop appropriate technical or organizational processes to stop any prohibited processing activities upon receipt of an individual request to limit the use of a consumer’s sensitive personal information. 

While there is not currently an industry-standard opt-out preference signal, the California Attorney General has stated that at least one new technology, the Global Privacy Control, satisfies the current CCPA requirement for businesses to treat user-enabled global privacy controls as valid requests to opt out of “sales” of their personal information. Under the CPRA, it appears that such an opt-out preference signal could also be used to submit requests to limit the use of consumers’ sensitive personal information (although more details are expected in forthcoming regulations). Businesses should be prepared to consider whether they have the ability to comply with opt-out preference signals as they develop. 

Develop Processes to Comply with Individual Rights Requests 
Businesses should confirm whether back-end processes currently in place to honor sale opt-outs and other rights will need to be altered to limit the use and disclosure of sensitive personal information. This may include earmarking engineering or other IT resources well in advance of implementation to help ensure the rights request process runs smoothly. 

To read the previous installment in our CPRA series on the changes to the definition of “personal information,” click here.

To read our previously-published summary of the CPRA’s key provisions, click here.

For additional context we provided in June 2020 at the time the CPRA was certified to appear on the November 2020 ballot, click here. 

Authored by Scott Loughlin, Donald DePass and Sophie Baum.