Just as we were getting used to the California Consumer Privacy Act of 2018 (the “CCPA”), Californians voted to approve Proposition 24, the California Privacy Rights Enforcement Act of 2020 (the “CPRA”). For now, the CCPA is still with us – the CPRA becomes effective on January 1, 2023 – but companies that do business in California need to address the new industry requirements, consumer privacy rights, and enforcement mechanisms as far in advance as possible.
The CPRA, like the CCPA, is a consumer-focused law with the goal of expanding consumer knowledge about and control over the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. To that end, the CPRA introduces a new class of information, sensitive personal information. Companies that collect sensitive personal information are required to follow disclosure requirements and implement additional protections and rights for California residents. In order to comply with the new law, a critical first step for businesses is to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.
What is sensitive personal information?
The CPRA’s approach to sensitive personal information generally tracks the European Union’s General Data Protection Regulation’s definition of Special Category Data, but adds data elements commonly viewed in the U.S. as sensitive, and introduces a new twist by including the contents of a consumer’s mail, email, and text messages. Specifically, the CPRA defines sensitive personal information as:
- social security, driver’s license, state identification card, or passport number;
- account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- precise geolocation;
- racial or ethnic origin, religious or philosophical beliefs, or union membership;
- the contents of a mail, email and text messages;
- genetic data;
- biometric information for the purpose of identifying a consumer;
- personal information collected and analyzed concerning a consumer’s health, sex life or sexual orientation.