Last updated on 12 August 2022 by Cara Hartley (Legal writer at TermsFeed)
In order to comply with this, you must inform consumers as to how you intend to use any sensitive personal information you process before you collect it, as well as let them know whether you will be selling or sharing that information and how long you plan to keep it.
This article will discuss this CPRA requirement and offer guidance for how you can comply with it.
The CPRA applies to certain businesses that do business in the state of California and process consumers' personal information. Applicable businesses include:
The CPRA was created with the intention of providing more comprehensive protection for consumers' private information, as well as giving California residents more rights when it comes to the sale and sharing of their personal information and limiting the use of their sensitive personal information.
An important addition to the CCPA is the expansion of the definition of personal information to include sensitive personal information.
In order to be in compliance with this section of the CPRA, you should make sure that you understand what the law requires and the methods you can use to ensure that your business is treating consumers' sensitive personal information appropriately.
The CPRA requires that businesses:
The Responsibilities of Businesses part of Section 3 (Purpose and Intent) of the CPRA covers expectations for how businesses should handle personal information and calls for businesses to limit the use of sensitive personal information.
Businesses that don't comply with the CPRA can be penalized, with higher penalties for any violations that affect children.
The CPRA grants certain privacy rights to consumers, and it is your responsibility to make sure that your business informs consumers of these rights.
According to the CPRA, consumers have the right to:
The CPRA requires businesses to protect the privacy of consumers, ensure that consumers understand their privacy rights, and give consumers the ability to easily access and change their collected personal information as desired.
The CPRA defines personal information as any information that can be used to identify or is associated with a consumer or household:
Personal information includes but isn't limited to:
According to the CPRA, sensitive personal information includes any private information that divulges any of the following:
Sensitive personal information includes the processing of any biometric data to identify a consumer, as well as personal information concerning a consumer's health or sexual orientation.
Note that any sensitive personal information that is publicly available is not considered sensitive personal information or personal information under this law.
This part of the CPRA was added to the existing Civil Code to ensure that consumers have the right to limit the use and disclosure of their sensitive personal information.
The text of Section 1798.121 of the CPRA informs businesses that consumers have the right to tell businesses who fall under the jurisdiction of the law to limit the use of their sensitive personal information to only that which is necessary for providing products or services to consumers.
It also lets businesses know that they must notify consumers before using or disclosing any sensitive personal information for any reasons other than those necessary to provide products or services, and to let consumers know about their right to limit the use or disclosure of their sensitive personal information.
Any sensitive personal information that is collected for a purpose other than "inferring characteristics about a consumer" is not covered by this part of the CPRA.
For instance, if a store is using a security camera to monitor the premises, an individual entering the store would not automatically have CPRA rights. If, however, the camera had facial recognition technology, the information collected would then fall under biometric data, and the individuals being recorded would be covered under the CPRA.
To comply, you will need to let consumers know how you plan to use the personal information you are seeking to collect. You must make this disclosure available before you collect the personal information.
You must also disclose whether you will be selling or sharing that information with any other parties, and how long you plan to keep it after you collect it.
If your business is planning on using the personal information it has collected for a purpose other than those the consumer initially agreed to, then you must notify consumers of that purpose before doing so.
You must also inform consumers as to how long you plan to keep the personal information and sensitive personal information you collect, which should not be for any longer than absolutely necessary.
To make sure that you are limiting the use and disclosure of sensitive personal information, you can put links on your business's homepage that direct consumers to a separate page. This page will guide consumers through the process of opting out of the sale or sharing of their personal information and limiting the use of their sensitive personal information.
The text of Section 1798.135 of the CPRA goes into detail about the methods your business can use to limit the sale, sharing, and use of personal and sensitive personal information.
Let's look more at these methods.
To show consumers how they can opt out of the selling or sharing of their personal information, you can create a link on your business's homepage with the title "Do Not Sell or Share My Personal Information."
The link should be easy to find and not hidden or titled in a way that could mislead users. The link should take users to a page that is designed to guide them through the process of opting out of the sale or sharing of their personal information.
The Law Offices of Snell and Wilmer places a link titled "Do Not Sell or Share my Personal Information" in the footer of its website so that consumers can access the link no matter what page on the site they may navigate to:
The "Do Not Sell or Share My Personal Information" link takes users to a page that informs them that Snell and Wilmer shares the personal information it collects with its subsidiary company for marketing purposes, and lets users know that they can fill out a contact form in order to request that their personal information not be shared:
If you already have a CCPA-compliant "Do Not Sell My Personal Information" page and link, you can update this to include sharing as well.
Another method for complying with the CPRA is by creating a page that allows consumers to limit the use of their sensitive personal information, which we will go over next.
Consumers have the right to limit the use of their sensitive personal information to only those purposes that are necessary for the business to provide products or services to the consumer.
You can create a link titled "Limit the Use of My Sensitive Personal Information" and put it in a conspicuous place on your business's website. This link should take consumers to a page that enables them to limit the use of their sensitive personal information to only that which is essential for providing goods or services.
This page should also let consumers know that your business must notify them if at any point it intends to use their sensitive personal information for any additional purposes.
If you wish to skip the first two methods for ease of navigation or aesthetic reasons, you can alternatively create a single link on your business's website that enables consumers to easily opt out of the sale or sharing of their personal information and limit the use or disclosure of their sensitive personal information.
Instead of creating a "Limit the Use of My Sensitive Personal Information" link, Tinder provides a link that enables users to withdraw their consent to be tracked by the company:
After clicking on the "Personalize my choices" button, users are taken to a Privacy Preference Center page, where they have the choice to opt out of having their information stored or retrieved for marketing and analytics purposes:
If none of the above steps seem right for your business, you also have the option of relying on preference signals to convey your consumers' personal information choices, which we'll look at next.
Your business does not need to provide the above-mentioned links if it allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information via an opt-out preference signal sent with the consumer's consent that informs the business of the consumer's intentions.
This preference signal might be a browser plug-in, or a privacy or device setting that lets your business know that your consumers wish to opt out of selling or sharing their personal data or limit the use of their sensitive personal information.
You can also provide a link on your website that directs consumers to a page that gives consumers the option of allowing your business to ignore their opt-out preference signal.
In other words, it enables consumers to opt back into the sale or sharing of their information.
Choosing the right method or combination of methods can help your business to avoid penalties and fines for violating the CPRA, which range from a fine of $2,500 per violation up to $7,500 for each intentional violation, or $7,500 for any violation that involves minors.
The CPRA was created to strengthen the CCPA. It expands on the definition of personal information to include sensitive personal information, and gives consumers the right to opt-out of the sale and sharing of their personal information. It also enables consumers to limit the use of their sensitive personal information.
There are several methods your business can choose from to ensure compliance with the CPRA's "Limit the Use and Disclosure of Sensitive Personal Information" section. These methods include:
Penalties for violations of the CPRA are fines of $2,500 per violation, $7,500 per intentional violation, or $7,500 per violation that affects a minor.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
12 August 2022