Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
The California Consumer Privacy Act (CCPA) is already the most demanding U.S. state privacy law. By voting "Yes" on Proposition 23 and enacting the California Privacy Rights Act (CPRA), Californians extended their state's privacy law obligations even further.
The CPRA expands several existing CCPA provisions, as well as adding some new requirements.
There are two types of sensitive personal information. Here's a breakdown of each type:
Type 1. Personal information that reveals:
Unless your business is the intended recipient, the contents of a consumer's:
Under Section 1798.40 (ae) (3) of the CPRA, sensitive personal information doesn't include publicly available information (with some caveats).
Here's how the CPRA lists the first type of sensitive personal information, under Section 1798.40 (ae) (1):
Here's the second type of personal information, under Section 1798.40 (ae) (2) of the CPRA:
So what does this new right entail? Suppose a consumer submits a "verifiable consumer request" under the right to limit your use and disclosure of their personal information. In that case, you must stop using or sharing their sensitive personal information.
There are some exceptions to this right. You may continue to use or disclose the sensitive personal information of a consumer who has submitted a request, but only:
The right to correct requires you to:
The CPRA expands the CCPA's "right to opt out." While the CCPA granted consumers the right to opt out of the "sale" of their personal information, the CPRA extends this right to the "sharing" of personal information.
The CPRA's definition of "sharing" personal information encompasses any "communication" of personal information, including for the purposes of "cross-context behavioral advertising."
Many observers believe that using third-party cookies already falls under the CCPA's definition of "sale" (see our article "CCPA: Does Using Third-Party Cookies Count as Selling Personal Information?" for more information about that). But the CPRA removes any ambiguity about this.
Here's the relevant part of the CPRA, at Section 1798.40 (ah) (1):
Note that the usual CCPA exceptions apply to the definition of "sharing," under Section 1798.40 (ah) (2):
If you share personal information, you'll need to set up a page where consumers can exercise their right to opt out, and include a link to this page on your homepage (or app) that reads "Do Not Sell or Share My Personal Information."
The CPRA requires you to disclose the period for which you intend to retain (keep/store) a consumer's personal information and sensitive personal information.
If you can't say precisely how long you intend to keep a consumer's personal information, you must disclose the criteria you use to determine how long you intend to keep it. However, you must not keep the information "for longer than is reasonably necessary" in connection with your disclosed purpose for collecting it.
For example, you may need to keep a consumer's personal information for six years in order to comply with a legal obligation. Or you may need to keep the consumer's personal information for as long as they hold an account and for four weeks after they close their account.
Here's the relevant part of the CCPA, at Section 1798.100 (3):
For all businesses:
Information about the "right to correct," including:
If you "share" personal information (according to the CRPA's definition):
Information about the "right to opt out of personal information-sharing," including:
If you collect or use "sensitive personal information (according to the CPRA's definition):
Information about the "right to limit the disclosure or use of sensitive personal information," including:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022