CCPA 2.0 and the Changing Privacy Landscape: CPRA’s Definition and Treatment of “Sensitive Personal Information”
As we noted in our prior post, on November 3, 2020, Californians approved Proposition 24, a ballot measure creating the California Privacy Rights Act (CPRA), which amends and expands the provisions and requirements of the California Consumer Privacy Act (CCPA). Effective January 1, 2023, the CPRA will significantly revise the CCPA by expanding consumer rights, imposing heightened privacy protections, and establishing an enforcement agency dedicated to protecting consumers through vigorous enforcement of the law, among other changes.
In this Digital Insights series on the CPRA, we will highlight and detail some of the most substantive and important modifications the new law will impose on the CCPA, and what those changes mean to businesses subject to California’s ever-evolving privacy regime.
One major change from the CCPA is the CPRA’s introduction of “sensitive personal information” (sensitive PI) as a new regulated dataset. The introduction of this new dataset also aligns with additional disclosure and purpose limitation requirements, and new consumer rights relating to their sensitive PI. The CPRA’s treatment of sensitive PI takes a page from the European Union’s General Data Protection Regulation (GDPR), which likewise restricts the ability of companies to process such sensitive information belonging to European data subjects.
Under the CPRA, the following consumer identifiers will qualify as sensitive PI, when not publicly available:
- Social Security numbers,
- Driver’s license number or state identification number,
- Passport number,
- Account credentials,
- Financial account, debit card, or credit card number, in combination with any required security or access code, password, or credentials allowing account access,
- Precise geolocation,
- Racial or ethnic origin,
- Religious or philosophical beliefs,
- Union membership,
- The contents of a consumer’s mail, email, and text messages, unless the business is the intended communication recipient,
- genetic data,
- biometric information,
- health information, and
- information concerning a consumer’s sex life or sexual orientation.
Additional Requirements & Restrictions Surrounding Sensitive Personal Information
Once in effect, the CPRA will prescribe new and separate requirements and restrictions on the collection and processing of sensitive PI, including:
- Right to Limit Use and Disclosure of Sensitive PI: Consumers will have the affirmative right to limit a business’s uses or disclosure of their sensitive PI solely to those uses necessary to perform the services or provide the goods reasonably expected by an average consumer requesting those goods or services.
- Right to Correction: A business will have to correct inaccurate personal information regarding a consumer within 45 days of receiving a verifiable consumer request from the consumer.
- Right to Deletion: A business will have to delete personal information based on the consumer’s request within 45 days of receiving a verifiable consumer request from the consumer.
- Methods of Limiting the Sale, Sharing, and Use of Sensitive PI: Businesses that sell or share consumer’s sensitive PI will have to:
- Provide a clear link on its website homepage title “Do Not Sell or Share My Personal Information” that enables a consumer to opt-out of the sale or sharing of their personal information, including sensitive PI.
- Provide a clear link on its website homepage titled “Limit the Use of My Sensitive Personal Information” that enables a consumer to limit the use or disclosure of their sensitive PI.
- Not require consumers to create an account or provide additional non-essential information in order to (1) instruct the business not to sell or share their information, or (2) limit the use or disclosure of the consumer’s sensitive PI.
- Wait at least 12 months before requesting that the consumer authorize the sale or sharing of their personal information or the use and disclosure of their sensitive PI for additional purposes.
We will continue to monitor developments around the implementation of this new law. Please revisit Digital Insights and subscribe to this blog for further installments of our analyses on how the CPRA will amend the CCPA and impact businesses operating in California.
Read Part II of our ongoing series on the CPRA, titled "CCPA 2.0 and the Changing Privacy Landscape, Part II: CPRA’s Covered “Businesses” & Exemptions."