January 21, 2021

Volume XI, Number 21

Advertisement

January 20, 2021

Subscribe to Latest Legal News and Analysis

January 19, 2021

Subscribe to Latest Legal News and Analysis

Data Privacy Dish November 13

Does the CPRA require companies to publish the data retention period that applies to the personal information it collects from consumers?

Yes.

Most privacy laws in the United States do not require that a company publicly disclose the length of time that personal information will be kept. While the CCPA did not contain such a requirement, the CPRA will require, beginning on January 1, 2023, that businesses inform consumers at the point at which information is collected of the “length of time the business intends to retain each category of personal information” that it collects.[1] If it is not possible for a business to provide consumers with a specific retention period, the business is instructed to disclose “the criteria used to determine such period. . . .”[2]

Does the CPRA require that companies get opt-in consent from consumers before collecting their sensitive personal information?

No.

The CCPA did not explicitly label any data type as being more, or less, “sensitive” than another, although it did confer special data security-related rights on a subset of data types (e.g., Social Security numbers, driver’s license numbers, medical information, etc.).

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [3] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, and sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have a limited right to object to a business’s continued use of sensitive personal information. The statute does not require, however, that a business obtain opt-in consent from a consumer before collecting or utilizing their sensitive personal information.

Does the CPRA give consumers a right to object to a business’s continuing use of sensitive personal information?

The CCPA did not explicitly label any data type as being more, or less, “sensitive” than another, although it did confer special data security-related rights on a subset of data types.

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [4] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, and sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct “at any time” a business to “limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requested [those] goods or services.”[5]

Is the CPRA’s right to object to the continued use of sensitive personal information an absolute right?

No.

The CPRA created a new sub-category of personal information that it labels “sensitive personal information.” [6] The sub-category is comprised of twenty specific data fields which include, among other things, the religious beliefs, racial origin, precise geolocation, and sexual orientation of a consumer. Beginning on January 1, 2023, consumers will have the right to instruct ”at any time” a business to “limit its use of the consumer’s sensitive personal information . . . .”[7] This right to object to the continued use of sensitive personal information is not absolute, however. If a consumer instructs a business to limit the use of their sensitive personal information, a business may still use or disclose the information for, among other things, the following purposes:

  1. Performing services requested by the consumer, so long as the use of the data is reasonably expected by an average consumer as necessary to perform such services.[8]

  2. Providing goods requested by the consumer, so long as the use of the data is reasonably expected by an average consumer as necessary to provide such goods.[9]

  3. Helping to ensure the security and integrity of the business, or the security and integrity of the personal information, to the extent that the use of the information is “reasonably necessary and appropriate.”[10]

  4. Providing non-personalized advertising shown as part of a consumer’s current interaction with the business, so long as the data is not provided to a third party and is not used to build a marketing profile about the consumer.[11]

  5. Servicing accounts on behalf of the business. [12]

  6. Providing customer service for a business.[13]

  7. Processing or fulfilling orders. [14]

  8. Verifying customer information. [15]

  9. Processing payments. [16]

  10. Providing financing.[17]

  11. Providing analytical services. [18]

  12. Providing data storage to a business. [19]

Verifying the quality or safety of certain services or devices.[20]

 


[1] CPRA, 1798.100(a)(3).

[2] CPRA, 1798.100(a)(3).

[3] CPRA, 1798.140(ae).

[4] CPRA, 1798.140(ae).

[5] CPRA, 1798.121(a).

[6] CPRA, 1798.140(ae).

[7] CPRA, 1798.121(a).

[8] CPRA, 1798.121(a).

[9] CPRA, 1798.121(a).

[10] CPRA, 1798.121(a), 1798.140(e)(2).

[11] CPRA, 1798.121(a); 1798.140(e)(4).

[12] CPRA, 1798.121(a); 1798.140(e)(5).

[13] CPRA, 1798.121(a); 1798.140(e)(5).

[14] CPRA, 1798.121(a); 1798.140(e)(5).

[15] CPRA, 1798.121(a); 1798.140(e)(5).

[16] CPRA, 1798.121(a); 1798.140(e)(5).

[17] CPRA, 1798.121(a); 1798.140(e)(5).

[18] CPRA, 1798.121(a); 1798.140(e)(5).

[19] CPRA, 1798.121(a); 1798.140(e)(5).

[20]CPRA, 1798.121(a); 1798.140(e)(8).

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 318
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement