Keypoint: The CPRA requires that businesses use certain types of sensitive personal information only for limited purposes, otherwise they must notify consumers of the additional purposes and provide consumers the opportunity to opt-out of such processing, while the VCDPA and CPA require controllers to obtain consumer consent and conduct data processing assessments prior to processing sensitive data. 

This is the fourth article in our ten-part weekly series comparing key provision of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.

In this article, we examine how the three laws treat sensitive personal information. The CPRA has a broad definition of sensitive personal information although, to be subject to the law's limitations, a business must collect or process that information for the "purpose of inferring characteristics about a consumer." If so, the CPRA grants consumers the right to limit a business's processing of such data to certain purposes specified in the law. Conversely, the VCDPA and CPA define sensitive data differently than the CPRA and require controllers to obtain consumer consent and conduct a data processing assessment prior to processing such information.

Below is an analysis of this topic.

California Privacy Rights Act (CPRA)

The current California Consumer Privacy Act (CCPA) does not define or treat differently sensitive information. The CPRA introduces "sensitive personal information" as a subcategory of personal information and defines it as:

(1) Personal information that reveals:

(A) A consumer's social security, driver's license, state identification card, or passport number.

(B) A consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

(C) A consumer's precise geolocation.

(D) A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership.

(E) The contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication.

(F) A consumer's genetic data.

(2) (A) The processing of biometric information for the purpose of uniquely identifying a consumer.

(B) Personal information collected and analyzed concerning a consumer's health.

(C) Personal information collected and analyzed concerning a consumer's sex life or sexual orientation.

(3) Sensitive personal information that is "publicly available" pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive personal information or personal information.

As between the three laws, the inclusion of financial account information, data about a consumer's government-issued identifications, and the contents of a consumer's electronic communications are unique to the CPRA's definition. The California Privacy Protection Agency (CPPA) also has the authority to update or add additional categories.

Despite the expansive list of categories of information included in the definition, the CPRA states that sensitive personal information "shall be treated as personal information for purposes of all . . . sections of" the CPRA, except where it is collected or processed for "the purpose of inferring characteristics about a consumer."

Where a business collects or processes sensitive personal information for the purpose of inferring characteristics about a consumer, it will either need to self-restrict its use of that information to certain purposes set forth in the CPRA or, if it goes beyond those purposes, it will need to provide consumers with a notice and the right to limit the business's use of the information to the statutory purposes. The CPPA is charged with issuing regulations to ensure that this exception only "applies to information that is collected or processed incidentally, or without the purpose of inferring characteristics about a consumer" and to ensure that "businesses do not use the exemption for the purpose of evading consumers' rights to limit the use and disclosure of their sensitive personal information."

Where a business collects or processes sensitive personal information for the purpose of inferring characteristics about a consumer, the CPRA identifies three permissible purposes for which businesses can use sensitive personal information.

First, businesses can use sensitive personal information if it is "necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services."

Second, businesses can use sensitive personal information to perform the services set forth in § 1798.140(e)(2), (4), (5) and (8), which are:

  • Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes.
  • Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer's current interaction with the business, provided that the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business.
  • Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

The CPPA is charged with issuing regulations to determine the scope of the last bullet point.

Third, businesses can use sensitive personal information for any purposes that are authorized by the CPPA in its rulemaking.

As noted, if a business processes sensitive personal information for uses that do not fall into the above three categories and to infer characteristics about consumers, it must (1) provide a notice to consumers explaining those uses and (2) allow consumers to opt out of those uses by providing a "clear and conspicuous link on the business' internet homepages, titled "Limit the Use of My Sensitive Personal Information." This link can be blended with the "Do Not Sell or Share My Personal Information" link if the business also sells or shares personal information.

Alternatively, businesses do not need to provide a link if they allow consumers to exercise their rights through an opt-out preference signal indicating the consumer's intent to opt out. We will explore the CPRA's opt out signal provisions in a later article.

If the consumer exercises their right to limit a business's use or disclosure of sensitive personal information, the business must refrain from using or disclosing this information and wait at least 12 months before requesting the consumer to authorize the use or disclosure of such information for additional purposes.

Given that the CPRA rulemaking processing is ongoing with no draft rules to date, the precise contours of the CPRA's treatment of sensitive personal information are yet to be determined. In September 2021, the CPPA published an Invitation for Preliminary Comments that provide some window into the CPPA's thinking on this issue. Specifically, the CPPA solicited and received written comments on the following topics related to this issue:

  • What rules and procedures should be established to allow consumers to limit businesses' use of their sensitive personal information.
  • What requirements and technical specifications should define an opt-out preference signal sent by a platform, technology, or mechanism, to indicate a consumer's intent to opt out of the sale or sharing of the consumer's personal information or to limit the use or disclosure of the consumer's sensitive personal information.
  • What businesses should do to provide consumers who have previously expressed an opt-out preference via an opt-out preference signal with the opportunity to consent to the sale or sharing of their personal information or the use and disclosure of their sensitive personal information.
  • What constitutes "sensitive personal information" that should be deemed "collected or processed without the purpose of inferring characteristics about a consumer" and therefore not subject to the right to limit use and disclosure.
  • What use or disclosure of a consumer's sensitive personal information by businesses should be permissible notwithstanding the consumer's direction to limit the use or disclosure of the consumer's sensitive personal information.

Public comments are available on the CPPA's website.

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA's definition and treatment of sensitive data differ from the CPRA in three ways.

First, the VCDPA's definition is different:

"Sensitive data" means a category of personal data that includes:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. The personal data collected from a known child; or
  4. Precise geolocation data.

Unlike the CPRA, the VCDPA's definition does not include government-issued identification, certain financial account information, union membership, sex life information, or the contents of a consumer's electronic communications where the business is not the intended recipient. Conversely, California does not include personal data collected from a known child and citizenship or immigration status. The laws' definitions of biometric information/data are also different as we discussed in a prior article. Again, California's definition must be read in the context of its qualification that the information be used for the "purpose of inferring characteristics about a consumer."

Second, the VCDPA requires controllers to obtain consumer consent before processing sensitive data or, with regards to known children, process such data in accordance with the federal Children's Online Privacy Protection Act (COPPA). This is in contrast to the CPRA's opt-out model (although the CPRA's treatment of children's data requires further exploration, which we will do in a future article). Consent must be based on a "consumer's freely given, specific, informed, and unambiguous agreement" for the controller to process the data.

Third, the VCDPA requires controllers to conduct and document a data protection assessment prior to processing sensitive data. We analyzed data protection assessments in a prior article in this series. It is possible the CPPA will issue regulations requiring similar assessments for the processing of sensitive personal information under the CPRA. However, as of the publication of this article, there is no such requirement.

Finally, this analysis is subject to future amendments to these bills. The Virginia legislature is currently considering a bill – HB 1259 – that seeks to modify the VCDPA's treatment of sensitive data.

Colorado Privacy Act (CPA)

The CPA's treatment of sensitive data is generally consistent with the VCDPA – a consent model that also requires the controller conduct a data protection assessment.

However, the two laws have differing definitions of "sensitive data." For example, the CPA's definition does not include precise geolocation and, although both laws' definitions include sexual orientation and mental or physical health diagnoses, the CPA's definition expands to include sex life (like the CPRA) and mental or physical health conditions. Further, while both statutes include biometric data processed for the purpose of uniquely identifying a natural person, the laws differ in their treatment of such data as we summarized in a prior article in this series.

Finally, while both laws require controllers to obtain consent to process sensitive data, their definitions of consent are not identical. Interestingly, the VCPDA and CPA do not specifically state that controllers must allow consumers to withdraw consent at any time (as does GDPR Article 7, for example). The CPA does address the withdrawal of consent in the context of the universal opt-out mechanism, but not in the context of processing of sensitive data.

Consequences of the Variations

The similarity between the VCDPA and the CPA will make compliance between those laws more streamlined as compared to the CPRA, subject to potential rulemaking on the topic by the Colorado Privacy Protection Agency and potential legislative action on the VCDPA. That said, depending on the types of information a business collects, CPRA compliance may be easier because it does not require consumer consent for processing of sensitive personal information nor does it impose additional obligations where processing is not for the purpose of inferring characteristics. However, the complexity of CPRA compliance is subject to further rulemaking, in particular rulemaking around the opt-out signals.

An interesting question is whether an organization could take the position that obtaining upfront consumer consent is sufficient to satisfy all three laws. In essence, the CPRA "bakes in" implied consumer consent but only as to the three specific statutory categories discussed above. In other words, so long as a business only processes sensitive personal information for those three permissible statutory categories, it does not have to provide the opt out.

The question is whether a business would derive any benefit from collecting upfront consumer consent for processing activities beyond the three permissible statutory categories since it may already need to do so for VCDPA and CPA compliance purposes. However, there is nothing in CPRA §§ 1798.121 or .135 that states that obtaining consumer consent obviates the need to provide consumers with the right to limit the use of their sensitive personal information. Instead, the concept of consent only comes up after a consumer exercises this right. For example, CPRA § 1798.135(c)(4) states that if a business receives a request to limit a consumer's use of sensitive personal information, it needs to wait at least 12 months before requesting that the consumer authorize the use. Businesses that recognize opt-out preference signals also are permitted to seek consumer consent to ignore that signal but that consent must be revocable. Perhaps the CPPA will reach a different conclusion during its rulemaking process but, at present, it does not appear that consumer consent is a viable approach for ensuring interoperability between these laws.

Ultimately, perhaps the best approach to complying with these three laws is for organizations to look at their data collection practices and not unnecessarily collect sensitive personal information for which there is no business need. Limiting an organization's data collection to only that which is necessary could alleviate compliance efforts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.