Sensitive Personal Information under CPRA, CPA and VCDPA
Keeping up with the latest data protection and privacy changes can be challenging due to constant change.
One subject that recently received much attention is consumer consent and the security of consumers’ sensitive personal information.
Every day, we come across a plethora of news online about one or the other cases of privacy breaches and business, not only losing millions of dollars but damaging reputation and precious customer data due to the same, which is why Data Privacy has been in the headlines.
Data privacy regulations have been and still are being passed by the respective national governments to safeguard their citizens’ personal data.
The notion of “sensitive personal information” is newly introduced into U.S. privacy law by the recently passed California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”).
This means that a specific category of personal data needs an extra degree of protection due to its sensitive personal nature and its potential to cause harm to an individual in the unfortunate event of its unauthorized use or disclosure.
Nonetheless, the CPRA, VCDPA, and CPA regulate this information differently, and businesses would need to create separate procedures to meet the legal requirements of these regulations.
This article explores how the three laws process sensitive personal data.
CPRA defines sensitive personal information broadly.
A business must collect or process such sensitive personal information for the “purpose of inferring characteristics about a consumer” to be subject to the law’s prohibitions.
If so, customers have the right under the CPRA to restrict how a company uses their data processing to such uses only as allowed by law.
On the other hand, the VCDPA and CPA have a different definition of sensitive data than the CPRA and mandate that controllers obtain consumer consent and carry out a data processing assessment before processing sensitive data.
What is consent under CPRA?
America’s first data privacy law known as the California Privacy Rights Act was passed in 2020.
It modifies the privacy rules currently in effect in the state, primarily the California Consumer Privacy Act, or CPPA.
It establishes a state regulatory agency (the California Privacy Protection Agency, or CPPA) and increases Californians’ authority over personal data.
The CCPA guaranteed the following rights: equality, knowledge, access, permission, and the ability to retain, delete, and port information.
New rights are listed under the CPRA, including
- the right to be informed;
- the right to limit the use of sensitive personal information;
- the right to modify or opt out of automated decision-making and;
- the right to make corrections.
CRPA defines consent in the same way as GDPR does.
Consent is a data subject’s freely given, specific, informed, and unambiguous indication to the business, allowing them to process personal data.
The significance of specific, informed, freely provided, and unambiguous consent is part of the CPRA.
The GDPR definition is far stricter, requiring consent before collecting customer data.
Businesses must implement enhanced consent standards on their websites and mobile applications per CPRA.
Consent is necessary, nevertheless, only in specific situations.
You must explicitly approve for businesses to collect and use your personal information.
Written statements, electronic statements (such as checking a box), or verbal statements can all be used for this purpose.
Unless the records are exempt from disclosure, state and local agencies are required by the CPRA to make public records available to the public upon request from a consumer.
Information protected from disclosure by a customer’s right to privacy is one of the significant exemptions to disclosure under the CPRA.
An individual must have a reasonable expectation of privacy for information to be protected from disclosure under the CPRA.
This implies that there must be an objectively reasonable expectation of privacy and that the information cannot be widely known or easily accessed.
Consumers have a right to a clear, sincere communication channel with the companies providing their products and services.
Dark Patterns
The CPRA states that “dark patterns” are unacceptable.
These include behavioral advertisements, continuous free trial subscriptions, and pre-selected preferences inserted into irrelevant information.
These should be avoided.
The most recent amendment prohibits specific dark pattern techniques.
It might also be an example of what companies should avoid if they wish to conduct themselves honestly: double negatives, asking clients to review all the justifications for providing consent or hiding consent deep inside the lengthy text.
Companies will also likely be interested in learning more about how they presently identify customers who have opted out, such as through global privacy control, and what mechanisms must be implemented to ensure adequate consent before collecting and selling additional customer data.
When a customer opts out, this may require modifications to a business’s website, mobile application, or privacy policy to provide an affirmative consent procedure.
Businesses should consider adjusting when a pop-up or targeted email is needed to obtain consent to avoid creating cookie consent fatigue, a consequence of comparable opt-in consent rules under the GDPR.
Sensitive Personal Information under the CPRA
The CPRA defines sensitive personal information as any personal information that discloses:
- A person’s Social Security number or other state identification number.
- Their log-in credentials for financial accounts, debit or credit cards.
- Their geolocation.
- Their race or ethnicity, and their religious or philosophical beliefs.
- Unless the business is the intended recipient of the communication, the contents of their mail, email, or text messages.
- Their genetic data.
In addition, the use of biometric data to identify a customer, the collection and analysis of personal data on a customer’s health, and the collection and analysis of data regarding a customer’s sex life or sexual orientation are all considered sensitive personal information.
Sensitive personal information under the CPRA encompasses and expands upon the special categories of personal data specified in the GDPR, except political views.
However, processing special categories by default is prohibited by the GDPR.
Controllers must show that processing is permitted under one specified exception, such as express consent.
However, under the CPRA, it is the consumers’ responsibility to ensure that processing is restricted to specific purposes.
Customers can restrict how sensitive personal information is used and disclosed for specific business purposes, such as:
- Assisting in protecting security and integrity to the degree that using a customer’s personal data is appropriate and reasonably required for these goals.
- Short-term, transitory use, such as non-personalized advertising displayed during a customer’s current interaction with the business, is permitted as long as the customer’s personal information is kept private, isn’t used to create a profile of the customer, and doesn’t affect the customer’s experience in any other way when the customer isn’t interacting with the business.
- Serving as a company representative by carrying out tasks such as account maintenance and servicing, customer support, order processing and fulfillment, customer information verification, payment processing, financing, analytic services, storage, and other related activities.
- Carrying out operations to maintain, upgrade, or improve a service or product owned, produced, manufactured for, or controlled by the business and verifying or keeping the device’s quality or safety.
Additionally, contractors and service providers must collect the minimal amount of sensitive personal data required to carry out the business tasks they provide support.
The CPRA also specifies a number of ways that companies must allow customers to restrict how sensitive personal information is used and disclosed, including:
- By providing a “Limit the Use of My Sensitive Personal Information” link on their homepage.
- Making use of a single link that would make it simple for customers to restrict how their sensitive data is used and to choose not to have their personal information sold or shared;
- By following the automatic opt-out preference signal.
Express Consent vs. Implied Consent under CPRA
Under the CPRA regulations, two types of consent can be required: explicit and implied.
When someone expressly and in writing permits to disclose their personal information, that is known as express consent.
Implied consent is when the person’s behavior and actions indicate that they are aware of their personal information being disclosed and take no action to stop it.
For instance, unless they have expressly asked for their information to be kept private, a person’s name and contact information provided to a state agency in exchange for a service means their implied consent to be disclosed to any third party who requests it.
Regarding implied consent vs opt-in consent, the GDPR and CPRA are different: Implied consent is not recognized by the GDPR.
A pre-checked box would be considered implicit consent under European data privacy regulations.
The CPRA, however, is an opt-in law.
The law does foresee specific scenarios in which opt-out would be used rather than opt-in.
Remember that users can always choose not to have any information collected about them, even if they have already consented, which means opting out even when they previously opted in.
Following are the sample use cases where opt-out consent is applicable:
- Decision-making that is automated (Profiling)
- Targeted advertising, also known as cross-context behavioral advertising
- Processing of Personal Information
- Processing of Minors’ Personal Data
- Sale or Sharing of Personal Data
- Use of Sensitive data
Following are the sample use cases where opt-in consent is applicable:
- Selling or Sharing Minors’ Personal Information (you must obtain permission from the minor’s parent or legal guardian before sharing or selling their personal information.)
- Re-Opt-In for Sale After Previously Opting-Out
- Participating in Financial Incentive Programs
- Secondary or Additional Use of Data
Sensitive Personal Information under the VCDPA
There are three areas in which the VCDPA and CPRA differ in their definition and processing of sensitive data.
First, the definition is different in the VCDPA:
“Sensitive data” refers to the category of personal information that consists of:
- Information about an individual’s sexual orientation, citizenship or immigration status, mental or physical health diagnosis, race or ethnic origin, or religious views.
- Using biometric or genetic data to identify a natural person uniquely.
- The private information collected from a known child.
- Accurate geolocation information.
Government-issued identification, specific financial account information, union membership, sex life information, and the contents of a consumer’s electronic communications in which the business is not the intended recipient are all excluded from the VCDPA’s definition, in contrast to the CPRA.
Conversely, California does not include immigration, citizenship status, or personal information collected from a known child.
The definitions of biometric information and data under the law are different.
Yet, it’s essential to interpret California’s definition within the framework of its specification that the information is intended for the “purpose of inferring characteristics about a consumer.”
Second, to process sensitive data, controllers are required by the VCDPA to get consent from customers or, in the case of known children, to process the data in compliance with the federal Children’s Online Privacy Protection Act (COPPA).
This is not the case with the CPRA’s opt-out model.
For the controller to process the data, consent must be based on the “consumer’s freely given, specific, informed, and unambiguous agreement.”
Third, controllers must record a data protection assessment under the VCDPA before processing sensitive data.
There is a possibility regulation mandating similar assessments for processing sensitive personal data under the CPRA will be issued by the CPPA.
But as of now, such a requirement does not exist.
Lastly, changes to these bills in the future may affect this analysis.
The Virginia legislature is considering HB 1259 to change how the VCDPA processes sensitive data.
Sensitive Information under the CPA
How the CPA handles sensitive data aligns with the VCDPA, employing a consent model that mandates the controller to conduct a data protection assessment.
The term “sensitive data” is defined differently under the two less.
For instance, although sexual orientation and diagnoses for mental or physical health are included in the definitions of both laws, the CPA’s definition goes further.
It includes sex life (like the CPRA) and mental or physical health issues.
On the other hand, the definition of both laws excludes precise geolocation.
Furthermore, the laws differ in handling biometric data processed to uniquely identify a natural person, even though both laws include such data.
Lastly, even though both laws mandate controllers to seek consent before processing customers’ sensitive data, the definition of consent is different.
Interestingly, unlike GDPR Article 7, the VCPDA and CPA do not expressly specify that controllers must allow customers to withdraw consent at any moment.
Regarding the universal opt-out mechanism, the CPA handles consent withdrawal but does not address the processing of sensitive data.
Consequences of these variations
Subject to future rulemaking by the Colorado Privacy Protection Agency and potential legislative action on the VCDPA, the similarities between the CPA and the VCDPA will facilitate compliance between both laws more than it did with the CPRA.
However, because CPRA does not require consumer consent for processing sensitive personal information or impose additional obligations where processing is not for inferring characteristics, compliance may be much more accessible depending on the categories of data a business collect.
Still, further rulemaking is necessary to address the complexities of CPRA compliance, especially about the opt-out signals.
One interesting point is whether a business may argue that securing upfront customer consent is adequate to comply with all three laws.
The CPRA essentially “bakes in” implied consumer consent, but only concerning the above-mentioned three statutory categories.
Put another way, a company is exempt from providing the opt-out option if it solely handles sensitive personal data for the above three data privacy regulations.
Since a company may need to obtain upfront consent for processing activities outside of the three statutory categories for VCDPA and CPA compliance, the question is whether doing so would benefit the company in any way.
CPRA §§ 1798.121 or 135 does not, however, indicate that getting consent from customers eliminates the requirement to give them the ability to restrict how their sensitive personal information is used.
Instead, consent is raised only when a customer uses this privilege.
Conclusion
Ultimately, it may be better for businesses to analyze their data collection processes and refrain from collecting sensitive personal data that isn’t necessary for business purposes to comply with these three regulations.
Compliance efforts may be simplified if an organization collects the required data.
FAQs
1. What is sensitive personal information under CPRA?
Sensitive personal information under CPRA includes data such as Social Security numbers, login credentials for financial accounts, geolocation, race or ethnicity, religious beliefs, contents of communications, genetic data, and more.
2. What is the California Privacy Rights Act (CPRA)?
The CPRA is California’s data privacy law passed in 2020, amending the California Consumer Privacy Act (CCPA). It introduces new rights, including the right to be informed, limit the use of sensitive personal information, modify automated decision-making, and make corrections.
3. What is consent under CPRA?
Consent under CPRA is a data subject’s freely given, specific, informed, and unambiguous indication allowing businesses to process personal data. It follows GDPR-like standards, requiring explicit approval for collecting and using personal information in specific situations.
4. What is implied consent under CPRA?
Implied consent under CPRA occurs when a person’s behavior indicates awareness of their personal information being disclosed without explicitly requesting privacy. CPRA allows both explicit (opt-in) and implied consent, unlike GDPR, which doesn’t recognize implied consent.
5. What is sensitive data under VCDPA?
Sensitive data under VCDPA includes information about sexual orientation, citizenship, mental or physical health, race, and biometric or genetic data. Unlike CPRA, VCDPA requires consent and a data protection assessment before processing sensitive data.
6. What is the Virginia Consumer Data Protection Act (VCDPA)?
VCDPA is a Virginia data privacy law that defines and regulates the processing of sensitive data. It differs from CPRA in its definition of sensitive data and mandates consent and a data protection assessment for processing such data.
7. What is sensitive data under CPA?
Sensitive data under CPA aligns with VCDPA, including sexual orientation and health diagnoses. It requires a consent model and a data protection assessment. Differences exist in the definition of consent and inclusion of certain types of data.
8. What is the difference between express and implied consent under CPRA?
Express consent under CPRA is written permission for disclosing personal information, while implied consent is inferred from a person’s behavior. CPRA recognizes both forms, unlike GDPR, which doesn’t accept implied consent.
9. What is the consequence of variations between CPRA, VCDPA, and CPA?
The variations between CPRA, VCDPA, and CPA may impact compliance efforts. While similarities facilitate compliance between CPA and VCDPA, CPRA’s opt-out model makes compliance potentially more accessible, subject to further rulemaking.
10. What is the best approach for businesses to comply with CPRA, VCDPA, and CPA?
Businesses can simplify compliance by analyzing their data collection processes and refraining from collecting unnecessary sensitive personal data. Understanding the specific requirements of each law and obtaining upfront consent may be beneficial for overall compliance.