Data Privacy Dish November 13
Friday, November 13, 2020

Does the CPRA require companies to publish the data retention period that applies to the personal information it collects from consumers?

Yes.

Most privacy laws in the United States do not require that a company publicly disclose the length of time that personal information will be kept. While the CCPA did not contain such a requirement, the CPRA will require, beginning on January 1, 2023, that businesses inform consumers at the point at which information is collected of the “length of time the business intends to retain each category of personal information” that it collects.[1] If it is not possible for a business to provide consumers with a specific retention period, the business is instructed to disclose “the criteria used to determine such period. . . .”[2]

Does the CPRA require that companies get opt-in consent from consumers before collecting their sensitive personal information?

No.

The CCPA did not explicitly label any data type as being more, or less, “sensitive” than another, although it did confer special data security-related rights on a subset of data types (e.g., Social Security numbers, driver’s license numbers, medical information, etc.).

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [3] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, and sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have a limited right to object to a business’s continued use of sensitive personal information. The statute does not require, however, that a business obtain opt-in consent from a consumer before collecting or utilizing their sensitive personal information.

Does the CPRA give consumers a right to object to a business’s continuing use of sensitive personal information?

The CCPA did not explicitly label any data type as being more, or less, “sensitive” than another, although it did confer special data security-related rights on a subset of data types.

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [4] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, and sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct “at any time” a business to “limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requested [those] goods or services.”[5]

Is the CPRA’s right to object to the continued use of sensitive personal information an absolute right?

No.

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [6] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, and sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct ”at any time” a business to “limit its use of the consumer’s sensitive personal information . . . .”[7] This right to object to the continued use of sensitive personal information is not absolute, however. If a consumer instructs a business to limit the use of their sensitive personal information, a business may still use or disclose the information for, among other things, the following purposes:

  1. Performing services requested by the consumer, so long as the use of the data is reasonably expected by an average consumer as necessary to perform such services.[8]

  2. Providing goods requested by the consumer, so long as the use of the data is reasonably expected by an average consumer as necessary to provide such goods.[9]

  3. Helping to ensure the security and integrity of the business, or the security and integrity of the personal information, to the extent that the use of the information is “reasonably necessary and appropriate.”[10]

  4. Providing non-personalized advertising shown as part of a consumer’s current interaction with the business, so long as the data is not provided to a third party and is not used to build a marketing profile about the consumer.[11]

  5. Servicing accounts on behalf of the business. [12]

  6. Providing customer service for a business.[13]

  7. Processing or fulfilling orders. [14]

  8. Verifying customer information. [15]

  9. Processing payments. [16]

  10. Providing financing.[17]

  11. Providing analytical services. [18]

  12. Providing data storage to a business. [19]

Verifying the quality or safety of certain services or devices.[20]

 


[1] CPRA, 1798.100(a)(3).

[2] CPRA, 1798.100(a)(3).

[3] CPRA, 1798.140(ae).

[4] CPRA, 1798.140(ae).

[5] CPRA, 1798.121(a).

[6] CPRA, 1798.140(ae).

[7] CPRA, 1798.121(a).

[8] CPRA, 1798.121(a).

[9] CPRA, 1798.121(a).

[10] CPRA, 1798.121(a), 1798.140(e)(2).

[11] CPRA, 1798.121(a); 1798.140(e)(4).

[12] CPRA, 1798.121(a); 1798.140(e)(5).

[13] CPRA, 1798.121(a); 1798.140(e)(5).

[14] CPRA, 1798.121(a); 1798.140(e)(5).

[15] CPRA, 1798.121(a); 1798.140(e)(5).

[16] CPRA, 1798.121(a); 1798.140(e)(5).

[17] CPRA, 1798.121(a); 1798.140(e)(5).

[18] CPRA, 1798.121(a); 1798.140(e)(5).

[19] CPRA, 1798.121(a); 1798.140(e)(5).

[20]CPRA, 1798.121(a); 1798.140(e)(8).

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins