How to Comply With the CPRA's "Limit the Use of My Sensitive Personal Information" Requirement

In order to comply with this, you must inform consumers as to how you intend to use any sensitive personal information you process before you collect it, as well as let them know whether you will be selling or sharing that information and how long you plan to keep it.

This article will discuss this CPRA requirement and offer guidance for how you can comply with it.

Who Does the CPRA Apply to?

The CPRA applies to certain businesses that do business in the state of California and process consumers' personal information. Applicable businesses include:

• Organizations that made over $25 million in revenue the previous year
• Organizations that buy, sell, or receive personal information from 100,000 or more California consumers or households
• Organizations that get at least 50% of their annual revenue from selling or sharing the personal information of California residents

The CPRA was created with the intention of providing more comprehensive protection for consumers' private information, as well as giving California residents more rights when it comes to the sale and sharing of their personal information and limiting the use of their sensitive personal information.

What the CPRA Requires of Businesses

The California Privacy Rights Act (CPRA) went into effect on January 1st, 2023, and adds many amendments to one of California's current privacy laws, the California Consumer Privacy Act (CCPA).

An important addition to the CCPA is the expansion of the definition of personal information to include sensitive personal information.

In order to be in compliance with this amendment from the CPRA, you should make sure that you understand what the law requires and the methods you can use to ensure that your business is treating consumers' sensitive personal information appropriately.

The CPRA changes the CPRA to make it require that businesses:

• Only collect personal information that is necessary for legitimate business purposes
• Clearly communicate to consumers about how they use the personal information they collect
• Let consumers know how they can choose to access and edit their personal information as well as how to opt-out of it being sold or shared
• Limit use of sensitive personal information
• Keep consumers' personal information secure
• Not treat consumers any differently for exercising these rights

The Responsibilities of Businesses part of Section 3 (Purpose and Intent) of the CPRA covers expectations for how businesses should handle personal information and calls for businesses to limit the use of sensitive personal information.

Businesses that don't comply with the CPRA's new requirements to the CCPA can be penalized, with higher penalties for any violations that affect children.

The CPRA amended the CCPA to grant certain privacy rights to consumers, and it is your responsibility to make sure that your business informs consumers of these rights.

Consumer Rights Under the CPRA

According to the CPRA, consumers have the right to:

• Delete personal information
• Correct personal information
• Know what personal information is being collected
• Access personal information
• Know what personal information is sold or shared and who it is sold to or shared with
• Opt out of the sale or sharing of their personal information
• Limit the use and disclosure of personal information
• Not to be punished for opting out or exercising other privacy rights

What is Personal Information?

The CPRA defines personal information as any information that can be used to identify or is associated with a consumer or household:

Personal information includes but isn't limited to:

• Identifying information such as names, addresses, IP addresses, email addresses, and social security, driver's license, and passport numbers
• Commercial data such as property records and purchase histories
• Biometric information, for example face, iris, or voice recognition or fingerprint scanning
• Internet information, including browsing and search history
• Employment and educational information
• Geolocation data
• Sensitive personal information

What is Sensitive Personal Information?

According to the CPRA, sensitive personal information includes any private information that divulges any of the following:

• Personal identification numbers, including social security, driver's license, passport, or state ID card numbers
• Account or debit or credit card numbers combined with passwords or codes that would enable access to the accounts
• A consumer's exact geolocation
• A consumer's racial origin, religious beliefs, or union membership
• A consumer's mail, email, or text message content unless the information was intentionally sent to the business
• A consumer's genetic data, such as DNA samples

Sensitive personal information includes the processing of any biometric data to identify a consumer, as well as personal information concerning a consumer's health or sexual orientation.

Note that any sensitive personal information that is publicly available is not considered sensitive personal information or personal information under this law.

The CPRA amended the CCPA to now include sensitive personal information.

What is the "Limit Use and Disclosure of Sensitive Personal Information" Requirement?

This part of the CPRA was added to the existing Civil Code to ensure that consumers have the right to limit the use and disclosure of their sensitive personal information.

The text of Section 1798.121 of the CPRA informs businesses that consumers have the right to tell businesses who fall under the jurisdiction of the law to limit the use of their sensitive personal information to only that which is necessary for providing products or services to consumers.

It also lets businesses know that they must notify consumers before using or disclosing any sensitive personal information for any reasons other than those necessary to provide products or services, and to let consumers know about their right to limit the use or disclosure of their sensitive personal information.

Any sensitive personal information that is collected for a purpose other than "inferring characteristics about a consumer" is not covered by this part of the CPRA.

For instance, if a store is using a security camera to monitor the premises, an individual entering the store would not automatically have CPRA rights. If, however, the camera had facial recognition technology, the information collected would then fall under biometric data, and the individuals being recorded would be covered under the CPRA.

Methods for Complying with the "Limit Use and Disclosure of Sensitive Personal Information" Section of the CPRA

To comply, you will need to let consumers know how you plan to use the personal information you are seeking to collect. You must make this disclosure available before you collect the personal information.

You must also disclose whether you will be selling or sharing that information with any other parties, and how long you plan to keep it after you collect it.

If your business is planning on using the personal information it has collected for a purpose other than those the consumer initially agreed to, then you must notify consumers of that purpose before doing so.

You must also inform consumers as to how long you plan to keep the personal information and sensitive personal information you collect, which should not be for any longer than absolutely necessary.

To make sure that you are limiting the use and disclosure of sensitive personal information, you can put links on your business's homepage that direct consumers to a separate page. This page will guide consumers through the process of opting out of the sale or sharing of their personal information and limiting the use of their sensitive personal information.

The text of Section 1798.135 of the CPRA goes into detail about the methods your business can use to limit the sale, sharing, and use of personal and sensitive personal information.

Let's look more at these methods.

Method 1: Create a "Do Not Sell or Share My Personal Information" Page

To show consumers how they can opt out of the selling or sharing of their personal information, you can create a link on your business's homepage with the title "Do Not Sell or Share My Personal Information."

The link should be easy to find and not hidden or titled in a way that could mislead users. The link should take users to a page that is designed to guide them through the process of opting out of the sale or sharing of their personal information.

The Law Offices of Snell and Wilmer places a link titled "Do Not Sell or Share my Personal Information" in the footer of its website so that consumers can access the link no matter what page on the site they may navigate to:

The "Do Not Sell or Share My Personal Information" link takes users to a page that informs them that Snell and Wilmer shares the personal information it collects with its subsidiary company for marketing purposes, and lets users know that they can fill out a contact form in order to request that their personal information not be shared:

If you already have a CCPA-compliant "Do Not Sell My Personal Information" page and link, you can update this to include sharing as well.

Another method for complying with the CPRA's amendments is by creating a page that allows consumers to limit the use of their sensitive personal information, which we will go over next.

Method 2: Create a "Limit the Use of My Sensitive Personal Information" Page

Consumers have the right to limit the use of their sensitive personal information to only those purposes that are necessary for the business to provide products or services to the consumer.

You can create a link titled "Limit the Use of My Sensitive Personal Information" and put it in a conspicuous place on your business's website. This link should take consumers to a page that enables them to limit the use of their sensitive personal information to only that which is essential for providing goods or services.

This page should also let consumers know that your business must notify them if at any point it intends to use their sensitive personal information for any additional purposes.

Method 3: Create an Alternative Link

If you wish to skip the first two methods for ease of navigation or aesthetic reasons, you can alternatively create a single link on your business's website that enables consumers to easily opt out of the sale or sharing of their personal information and limit the use or disclosure of their sensitive personal information.

Instead of creating a "Limit the Use of My Sensitive Personal Information" link, Tinder provides a link that enables users to withdraw their consent to be tracked by the company:

After clicking on the "Personalize my choices" button, users are taken to a Privacy Preference Center page, where they have the choice to opt out of having their information stored or retrieved for marketing and analytics purposes:

If none of the above steps seem right for your business, you also have the option of relying on preference signals to convey your consumers' personal information choices, which we'll look at next.

Method 4: Use a Preference Signal

Your business does not need to provide the above-mentioned links if it allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information via an opt-out preference signal sent with the consumer's consent that informs the business of the consumer's intentions.

This preference signal might be a browser plug-in, or a privacy or device setting that lets your business know that your consumers wish to opt out of selling or sharing their personal data or limit the use of their sensitive personal information.

You can also provide a link on your website that directs consumers to a page that gives consumers the option of allowing your business to ignore their opt-out preference signal.

In other words, it enables consumers to opt back into the sale or sharing of their information.

Penalties for Non-Compliance

Choosing the right method or combination of methods can help your business to avoid penalties and fines for violating the CPRA's amendments to the CCPA, which range from a fine of $2,500 per violation up to $7,500 for each intentional violation, or $7,500 for any violation that involves minors.

Summary

The CPRA was created to strengthen the CCPA by amending and expanding the CCPA. It expands on the definition of personal information to include sensitive personal information, and gives consumers the right to opt-out of the sale and sharing of their personal information. It also enables consumers to limit the use of their sensitive personal information.

There are several methods your business can choose from to ensure compliance with the CPRA's "Limit the Use and Disclosure of Sensitive Personal Information" section. These methods include:

• Create a "Do Not Sell or Share My Personal Information" page
• Create a "Limit the Use of My Sensitive Personal Information" page
• Create an alternative link that allows consumers to opt out of or limit the use of their private information
• Use a preference signal

Penalties for violations of the CCPA and CPRA's amendments are fines of $2,500 per violation, $7,500 per intentional violation, or $7,500 per violation that affects a minor.