5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: March 13, 2024
In the world of consumer data privacy laws, “Limit the use of my sensitive personal information” is a powerful phrase, especially for California consumers and companies that do business in the state required to comply with the California Privacy Rights Act (CPRA).
This blog dives into the CPRA’s sensitive personal information provision, what it means, and how to comply.
Passed by voters in November 2020, the CPRA expanded on the California Consumer Privacy Act (CCPA), strengthening consumer protections and introducing the right for consumers to limit the use and disclosure of their sensitive personal information.
First, it’s important to understand the difference between personal information and sensitive personal information. Under the CPRA, personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This definition includes data such as name, email address, and other identifiers; geolocation data; internet activity information such as browsing and search history; commercial information such as records of personal property, products or services purchased; and characteristics of protected classifications.
You may see a link on websites that reads “Do Not Sell or Share My Personal Information”—this gives consumers control over what businesses do with their personal information and often appears next to “Limit the Use of My Sensitive Personal Information” links.
Sensitive personal information is a category of personal information that includes a consumer’s:
One important note is that biometric information, personal information collected and analyzed related to a consumer’s health, and information concerning their sex life or sexual orientation is not considered sensitive or personal information if it’s publicly available.
By nature, sensitive personal data has the potential to cause harm—more so if it’s misused. For example, sensitive personal information could be used to discriminate against someone based on their religion or sexuality, or if financial information were used for identity theft. Because of this potential, legislators in California wanted to give consumers more control over how their sensitive personal information is used and provide a way to hold businesses accountable if they don’t protect their most sensitive personal information from hackers and security breaches.
How does the CPRA do this?
In short, the law gives consumers carte blanche authority to limit the use of their sensitive personal information collected by your organization to what’s necessary to perform the services or provide goods reasonably expected by an average consumer. When a business is given that directive, they cannot use or disclose it for any other purpose without being subject to penalties. The law states that fines are higher if a child is involved.
If a business collects sensitive personal information, they are required to provide a link on their homepage, titled “Limit the Use of My Sensitive Personal Information,” where consumers can exercise their rights to opt-out.
If your business is subject to the CPRA, you must provide consumers with the option to limit the use of their sensitive personal information. In case you’ve forgotten, here’s a quick refresher on the applicability of the CPRA. The law applies to those organizations that do business in the state and process the personal information of residents if they make over $25 million in revenue the previous year; buy, sell, or receive personal information from 100,000 or more California consumers; and those that get at least 50 percent of their annual revenue from sharing personal information of the state’s residents.
As part of their responsibilities under the CPRA, businesses are required to:
One thing to note is that sensitive personal information collected or processed without the purpose of “inferring characteristics” about a consumer is not subject to limiting by consumers, but it should be treated the same as personal information under the CPRA.
To comply with the CPRA, businesses must provide consumers with the categories of sensitive personal information to be collected and the purposes for collection or use; inform them of whether the information is shared or sold; and tell consumers how long they retain sensitive personal information.
Businesses that process personal information must also implement a few key avenues for consumers to opt out.
Understanding your obligations and ensuring the right disclosures are essential, as the CPRA is serious when it comes to enforcement and fees can add up quickly. Penalties are $2,500 per violation or a whopping $7,500 for an intentional violation or a violation that affects a minor.
While the privacy landscape is complex, and growing more so with new regulations, compliance doesn’t have to be. If you’re subject to the CPRA, you may want to consider compliance software, such as Osano, which can simplify the process by managing opt-out requests, processing universal preference signals, and automating consumer and employee subject rights requests.
Need a means of orienting yourself in California's complicated regulatory landscape? Look no further—our CPRA Survival Guide will equip you with all the knowledge you need.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.