How to Navigate the CPRA’s ‘Limit the Use of My Sensitive Personal Information’ Mandate

In the world of consumer data privacy laws, “Limit the use of my sensitive personal information” is a powerful phrase, especially for California consumers and companies that do business in the state required to comply with the California Privacy Rights Act (CPRA).

This blog dives into the CPRA’s sensitive personal information provision, what it means, and how to comply.

Defining Sensitive Personal Information

Passed by voters in November 2020, the CPRA expanded on the California Consumer Privacy Act (CCPA), strengthening consumer protections and introducing the right for consumers to limit the use and disclosure of their sensitive personal information.

First, it’s important to understand the difference between personal information and sensitive personal information. Under the CPRA, personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

This definition includes data such as name, email address, and other identifiers; geolocation data; internet activity information such as browsing and search history; commercial information such as records of personal property, products or services purchased; and characteristics of protected classifications.

You may see a link on websites that reads “Do Not Sell or Share My Personal Information”—this gives consumers control over what businesses do with their personal information and often appears next to “Limit the Use of My Sensitive Personal Information” links.

Sensitive personal information is a category of personal information that includes a consumer’s:

• Social Security, driver’s license, state identification card, or passport number;
• Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
• Precise geolocation;
• Racial or ethnic origin, religious or philosophical beliefs, or union membership;
• The contents of a consumer’s mail, email, and text messages, unless the business is the intended recipient of the communication; and
• Genetic data. 

One important note is that biometric information, personal information collected and analyzed related to a consumer’s health, and information concerning their sex life or sexual orientation is not considered sensitive or personal information if it’s publicly available.

The Meaning of ‘Limit the Use of My Sensitive Personal Information’

By nature, sensitive personal data has the potential to cause harm—more so if it’s misused. For example, sensitive personal information could be used to discriminate against someone based on their religion or sexuality, or if financial information were used for identity theft. Because of this potential, legislators in California wanted to give consumers more control over how their sensitive personal information is used and provide a way to hold businesses accountable if they don’t protect their most sensitive personal information from hackers and security breaches.

How does the CPRA do this?

In short, the law gives consumers carte blanche authority to limit the use of their sensitive personal information collected by your organization to what’s necessary to perform the services or provide goods reasonably expected by an average consumer. When a business is given that directive, they cannot use or disclose it for any other purpose without being subject to penalties. The law states that fines are higher if a child is involved.

If a business collects sensitive personal information, they are required to provide a link on their homepage, titled “Limit the Use of My Sensitive Personal Information,” where consumers can exercise their rights to opt-out.

Does My Business Have to Comply?

If your business is subject to the CPRA, you must provide consumers with the option to limit the use of their sensitive personal information. In case you’ve forgotten, here’s a quick refresher on the applicability of the CPRA. The law applies to those organizations that do business in the state and process the personal information of residents if they make over $25 million in revenue the previous year; buy, sell, or receive personal information from 100,000 or more California consumers; and those that get at least 50 percent of their annual revenue from sharing personal information of the state’s residents.

As part of their responsibilities under the CPRA, businesses are required to:

• Inform consumers how they collect and use personal information.
• Only collect information for specific, explicit and legitimate disclosed purposes.
• Collect personal information only to the extent that is relevant and limited to what is necessary.
• Enable consumers to delete, correct, and opt out of the sale of personal information and to limit the use of their sensitive personal information.
• Take reasonable precautions to protect information.
• Not penalize consumers for exercising their rights. 

One thing to note is that sensitive personal information collected or processed without the purpose of “inferring characteristics” about a consumer is not subject to limiting by consumers, but it should be treated the same as personal information under the CPRA.

How to Comply with the CPRA’s ‘Limit the Use of My Sensitive Information’ Requirement

To comply with the CPRA, businesses must provide consumers with the categories of sensitive personal information to be collected and the purposes for collection or use; inform them of whether the information is shared or sold; and tell consumers how long they retain sensitive personal information.

Businesses that process personal information must also implement a few key avenues for consumers to opt out.

• Provide a clear and conspicuous link on your homepages, titled “Do Not Sell or Share My Personal Information,” that allows consumers to opt-out of the sale or sharing of the consumer’s personal information.
• Provide a clear and conspicuous link on the business’ internet homepages, titled “Limit the Use of My Sensitive Personal Information,” that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer’s sensitive personal information.
• Instead of the above two options, businesses can opt to use a single, clearly labeled link on their homepage that allows a consumer to opt out of both the sale or sharing of their personal information and to limit the use or disclosure of their sensitive personal information.
• Use a universal opt out mechanism. Consumers can signal to a business that they want to limit the use of their sensitive personal information through a universal opt out mechanism, such as the Global Privacy Control.

Understanding your obligations and ensuring the right disclosures are essential, as the CPRA is serious when it comes to enforcement and fees can add up quickly. Penalties are $2,500 per violation or a whopping $7,500 for an intentional violation or a violation that affects a minor.

While the privacy landscape is complex, and growing more so with new regulations, compliance doesn’t have to be. If you’re subject to the CPRA, you may want to consider compliance software, such as Osano, which can simplify the process by managing opt-out requests, processing universal preference signals, and automating consumer and employee subject rights requests.