In the world of consumer data privacy laws, “Limit the use of my sensitive personal information” is a powerful phrase, especially for California consumers and companies that do business in the state required to comply with the California Privacy Rights Act (CPRA).
This blog dives into the CPRA’s sensitive personal information provision, what it means, and how to comply.
Passed by voters in November 2020, the CPRA expanded on the California Consumer Privacy Act (CCPA), strengthening consumer protections and introducing the right for consumers to limit the use and disclosure of their sensitive personal information.
First, it’s important to understand the difference between personal information and sensitive personal information. Under the CPRA, personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This definition includes data such as name, email address, and other identifiers; geolocation data; internet activity information such as browsing and search history; commercial information such as records of personal property, products or services purchased; and characteristics of protected classifications.
You may see a link on websites that reads “Do Not Sell or Share My Personal Information”—this gives consumers control over what businesses do with their personal information and often appears next to “Limit the Use of My Sensitive Personal Information” links.
Sensitive personal information is a category of personal information that includes a consumer’s:
One important note is that biometric information, personal information collected and analyzed related to a consumer’s health, and information concerning their sex life or sexual orientation is not considered sensitive or personal information if it’s publicly available.
By nature, sensitive personal data has the potential to cause harm—more so if it’s misused. For example, sensitive personal information could be used to discriminate against someone based on their religion or sexuality, or if financial information were used for identity theft. Because of this potential, legislators in California wanted to give consumers more control over how their sensitive personal information is used and provide a way to hold businesses accountable if they don’t protect their most sensitive personal information from hackers and security breaches.
How does the CPRA do this?
In short, the law gives consumers carte blanche authority to limit the use of their sensitive personal information collected by your organization to what’s necessary to perform the services or provide goods reasonably expected by an average consumer. When a business is given that directive, they cannot use or disclose it for any other purpose without being subject to penalties. The law states that fines are higher if a child is involved.
If a business collects sensitive personal information, they are required to provide a link on their homepage, titled “Limit the Use of My Sensitive Personal Information,” where consumers can exercise their rights to opt-out.
If your business is subject to the CPRA, you must provide consumers with the option to limit the use of their sensitive personal information. In case you’ve forgotten, here’s a quick refresher on the applicability of the CPRA. The law applies to those organizations that do business in the state and process the personal information of residents if they make over $25 million in revenue the previous year; buy, sell, or receive personal information from 100,000 or more California consumers; and those that get at least 50 percent of their annual revenue from sharing personal information of the state’s residents.
As part of their responsibilities under the CPRA, businesses are required to:
One thing to note is that sensitive personal information collected or processed without the purpose of “inferring characteristics” about a consumer is not subject to limiting by consumers, but it should be treated the same as personal information under the CPRA.
To comply with the CPRA, businesses must provide consumers with the categories of sensitive personal information to be collected and the purposes for collection or use; inform them of whether the information is shared or sold; and tell consumers how long they retain sensitive personal information.
Businesses that process personal information must also implement a few key avenues for consumers to opt out.
Understanding your obligations and ensuring the right disclosures are essential, as the CPRA is serious when it comes to enforcement and fees can add up quickly. Penalties are $2,500 per violation or a whopping $7,500 for an intentional violation or a violation that affects a minor.
While the privacy landscape is complex, and growing more so with new regulations, compliance doesn’t have to be. If you’re subject to the CPRA, you may want to consider compliance software, such as Osano, which can simplify the process by managing opt-out requests, processing universal preference signals, and automating consumer and employee subject rights requests.