California: Operationalizing CPRA - sensitive personal information
On July 8, 2022, the California Privacy Protection Agency (CPPA) began the formal rulemaking process to update the California Consumer Privacy Act (CCPA) regulations to operationalize new rights and concepts the California Privacy Rights Act (CPRA) introduced. The Board of the CPPA voted to adopt and approve the CPPA's rulemaking package, including the revised CCPA regulations on February 3, 2023, and the CPPA filed its rulemaking package with California's Office of Administrative Law for review on February 14, 2023.
Part one of this series, Operationalising CPRA, discussed how the CPRA changes consumer rights, part two of this series explored the scope of the CCPA as amended by the CPRA, and part three of this series focused on some of the considerations for businesses in regards to vendors. In part four of this series, Shelby Dolen & TK Lively, from Husch Blackwell LLP, examine how the CCPA, as amended by the CPRA, treats sensitive personal information and the compliance challenges businesses need to consider.
The CPRA has a broad definition of sensitive personal information although, to be subject to the law's obligations regarding sensitive personal information, a business must collect or process such information for 'the purpose of inferring characteristics about a consumer.' If so, the CPRA grants consumers the right to limit a business's processing of such information to certain purposes specified in the law and its regulations.
Sensitive personal information defined
The CPRA requires that businesses use sensitive personal information only for limited purposes, otherwise, they must notify consumers of the additional purposes and provide consumers the right to limit such processing.
The CPRA introduces 'sensitive personal information' as a subcategory of personal information and defines it as:
- personal information that reveals:
- a consumer's social security, driver's license, state identification card, or passport number;
- a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- a consumer's precise geolocation;
- a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership;
- the contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication; or
- a consumer's genetic data;
- the processing of biometric information for the purpose of uniquely identifying a consumer:
- personal information collected and analyzed concerning a consumer's health; and/or
- personal information collected and analyzed concerning a consumer's sex life or sexual orientation; and/or
- sensitive personal information that is 'publicly available' shall not be considered sensitive personal information or personal information.
Unique to the CPRA's definition of sensitive personal information is the inclusion of financial account information, data about a consumer's government issued identifications, and the contents of a consumer's communications to any party that is not the business. Despite this expansive list of categories of information included in the definition, the CPRA states that sensitive personal information 'shall be treated as personal information for purposes of all . . . sections of' the CPRA, except where it is collected or processed for 'the purpose of inferring characteristics about a consumer.'
The CPRA defines 'infer' to mean 'the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.' In 2022, the California Attorney General issued Opinion Number 20-303, which provides helpful guidance on what may constitute an inference.
Where a business collects or processes sensitive personal information to infer characteristics about a consumer, it will either need to restrict its use of such information to the permissible purposes set forth in the CPRA and the regulations or, if it goes beyond those purposes, it will need to provide consumers with a notice and the right to limit the business's use of the information to such purposes.
The regulations identify the following permissible purposes for which businesses may use or disclose sensitive personal information without triggering the right to limit requirements, provided that the use or disclosure is reasonably necessary and proportionate to the purposes:
- perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services;
- prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
- resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions;
- ensure the physical safety of natural persons;
- short-term, transient use, including but not limited to, non-personalized advertising shown as part of a consumer's current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business;
- perform services on behalf of the business;
- verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by the business; and
- collect or process sensitive personal information where such collection or processing is not for the purpose of inferring characteristics about a consumer.
Consumers' right to limit use and disclosure of sensitive personal information
The regulations also require businesses to consider how they interact with consumers when providing methods for consumers to submit requests to limit the use and disclosure of their sensitive personal information. A business that interacts with and collects sensitive personal information from consumers online must provide an interactive form through a 'Limit the Use of My Sensitive Personal Information' link. Clicking on the 'Limit the Use of My Sensitive Personal Information' link shall immediately limit the use and disclosure of that consumer's sensitive personal information or take that consumer to a webpage where a consumer can make the request. In lieu of providing the 'Limit the Use of My Sensitive Personal Information' link, businesses may provide the 'Alternative Opt-Out Link.' The Alternative Opt-Out Link is an alternative method that allows a business to provide one opt-out link instead of the two separate 'Do Not Sell or Share My Personal Information' and 'Limit the Use of My Sensitive Personal Information' links. Other opt-out methods include a toll-free telephone number, email address, a form submitted in person, or a form submitted through email.
If the consumer exercises their right to limit a business's use or disclosure of sensitive personal information, the business must comply with the request by ceasing to use and disclose the consumer's sensitive personal information within 15 business days of receiving the request. Businesses must direct all service providers, contractors, and third parties to comply with the request as well. For at least 12 months following the request, businesses must refrain from asking the consumer to authorize the use or disclosure of such information for additional purposes.
Overall, a business may process sensitive personal information for the permissible purposes provided above without providing consumers with the right to limit such processing. If a business processes sensitive personal information for the purpose of inferring characteristics about a consumer or for another purpose that goes beyond the list of permissible purposes, then it will be required to provide a notice of the right to limit and to develop processes for consumers to submit requests to limit. Businesses must provide consumers with proper methods for submitting requests and develop internal procedures for responding and complying with such consumer requests within the 15-day requirement. Businesses will also have an obligation to instruct any service providers, contractors, or third parties to stop processing sensitive personal information of the consumer. To meet this obligation, businesses will need to build out a vendor management system that effectively allows the business to communicate with each service provider, contractor, and third party their instructions for complying with a consumer's request. Lastly, businesses must consider the use and purpose limitation that applies to any processing of sensitive personal information and closely monitor its use and disclosure of such information.