April 16, 2021

Volume XI, Number 106

Advertisement

April 16, 2021

Subscribe to Latest Legal News and Analysis

April 15, 2021

Subscribe to Latest Legal News and Analysis

April 14, 2021

Subscribe to Latest Legal News and Analysis

Sensitive Personal Information – What Is It and What Does It Mean for California Privacy Rights Act Compliance?

The California Privacy Rights Act (CPRA) expands the definition of personal information as it currently exists in the California Consumer Privacy Act (CCPA). The CPRA adds “sensitive personal information” as a defined term, which means:

(l) personal information that reveals:

(A) a consumer’s social security, driver’s license, state identification card, or passport number;

(B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

(C) a consumer’s precise geolocation;

(D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;

(E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;

(F) a consumer’s genetic data; and

(2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer;

(B) personal information collected and analyzed concerning a consumer’s health; or

(C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This is perhaps the broadest definition of personal information in the country as it now includes entirely new classes of personal information such as racial, ethnic origin, religious or philosophical beliefs or union membership, the content of a consumer’s mail, email and text messages, genetic data, biometric data, and data collected and analyzed concerning a consumer’s health or sex life or sexual orientation.

What does this mean for a business that is covered by the CPRA? In a previous post, we provided a detailed overview of the CPRA, but suffice it to say that if the business had to comply with CCPA, it also will likely be covered by CPRA. Given this new definition of sensitive personal information, one of the first steps in thinking about CPRA compliance will be to think about data mapping to determine whether the business collects any of these new categories of sensitive personal information. The CPRA is still very much a consumer-focused law with the goal of expanding consumer knowledge about the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. It will be a critical first step for businesses to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.

Advertisement
Copyright © 2021 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 317
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Deborah A. George, Robinson Cole, Cybersecurity lawyer
Counsel

Deborah George is a member of the firm’s Business Litigation Group as well as its Data Privacy + Cybersecurity Team.

Deb advises clients on and focuses her practice on data privacy and security, cybersecurity, and compliance with related state and federal laws. She also has experience providing counsel in civil litigation and employment law matters.  She has significant experience offering advice and counsel on legal issues related to human services agencies, including Medicaid, as well as  drafting and reviewing contracts, business associate agreements, and data use agreements. ...

401.709.3363
Advertisement
Advertisement