Just as we were getting used to the California Consumer Privacy Act of 2018 (the “CCPA”), Californians voted to approve Proposition 24, the California Privacy Rights Enforcement Act of 2020 (the “CPRA”). For now, the CCPA is still with us – the CPRA becomes effective on January 1, 2023 – but companies that do business in California need to address the new industry requirements, consumer privacy rights, and enforcement mechanisms as far in advance as possible.
The CPRA, like the CCPA, is a consumer-focused law with the goal of expanding consumer knowledge about and control over the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. To that end, the CPRA introduces a new class of information, sensitive personal information. Companies that collect sensitive personal information are required to follow disclosure requirements and implement additional protections and rights for California residents. In order to comply with the new law, a critical first step for businesses is to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.
What is sensitive personal information?
The CPRA’s approach to sensitive personal information generally tracks the European Union’s General Data Protection Regulation’s definition of Special Category Data, but adds data elements commonly viewed in the U.S. as sensitive, and introduces a new twist by including the contents of a consumer’s mail, email, and text messages. Specifically, the CPRA defines sensitive personal information as:
- social security, driver’s license, state identification card, or passport number;
- account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- precise geolocation;
- racial or ethnic origin, religious or philosophical beliefs, or union membership;
- the contents of a mail, email and text messages;
- genetic data;
- biometric information for the purpose of identifying a consumer;
- personal information collected and analyzed concerning a consumer’s health, sex life or sexual orientation.
What are the consequences under the CPRA?
Notices to Consumers. A business that collects sensitive personal information will need to revise its notice at collection to consumers, including job applicants and employees, and in any online privacy policy or California-specific description of consumer rights. Under the CPRA, this notice must now also disclose the categories of sensitive personal information to be collected, the purposes for which they will be used, whether this information will be sold or shared, and the length of time the business intends to retain each category of sensitive personal information.
Beyond notice to consumers, when a business collects or processes sensitive personal information for the purpose of “inferring characteristics” about a consumer – generally for the purpose of advertising – the business is limited to using the information only to provide services or goods requested by the consumer, for limited purposes enumerated by the CPRA, and as may be authorized by future implementation regulations. If the business intends to use or disclose this information for any other purpose, it must provide the consumer with notice of the intended use or disclosure and the consumer’s right to limit this use or disclosure. This can result in additional notices to consumers if a business changes its use of personal information – something which happens regularly.
Opt-out Mechanisms. A business that uses sensitive personal information for inferring a consumer’s characteristics must provide the consumer with an opt out mechanism entitled “Limit the Use of My Sensitive Personal Information.” Just as important, a business must have an effective means of ensuring that the opt-out mechanism is honored.
Additional consumer rights. The CPRA imposes additional consumer rights and limitations on the use of sensitive personal information:
- a business may use sensitive information only to the extent necessary to perform services or provide goods;
- in addition to the notice requirements noted above, if the use of the information changes, the business must obtain consent from consumer – and consent can be difficult to obtain; and
- businesses must ensure that its service providers and contractors follow these limitations, requiring a review and revision of vendor agreements.
What do you need to do now?
Whether or not you have taken steps to comply with the CCPA, the introduction of sensitive personal information means that you will need to revisit and expand existing data mapping activities. The CPRA requires you to identify the collection of sensitive personal information, review how you collect the information, how you use and disclose it, and determine whether your use or disclosure is permitted by the CPRA. This tasks requires an interdisciplinary team with a full understanding of your business operation, including members that are familiar with advertising, marketing, and website data collection activities to identify where sensitive personal information is be collected for the purpose of inferring consumer characteristics. The team also needs to determine how to respond promptly and accurately to opt-out requests.
Finally, agreements with vendors need to be reviewed and, where necessary, amended to ensure that service providers, contractors and third parties all comply with the new requirements. Because of the prevalence of third parties in data collection and handling, identifying vendors that collect or use your sensitive personal information should be one of the highest priorities for compliance.
The Jeffer Mangels Butler & Mitchell Cybersecurity and Privacy Group is dedicated to providing clients guidance to comply with the broad range of privacy and security laws, rules and regulations, and to achieving actual data security – and when necessary, serving as part of the team that addresses data breaches that can’t be avoided. For more information contact Robert Braun (rbraun@jmbm.com) or Michael Gold (mgold@jmbm.com).