November 30, 2020

Volume X, Number 335


What Rights Would the CPRA Provide for Sensitive Category Data?

The California Privacy Rights Act of 2020 (the “CPRA” or “Proposition 24”) labels 20 data fields as constituting “sensitive personal information.” [1]  If Proposition 24 is enacted businesses would be permitted to use sensitive personal information for one of the following purposes:[2]

  1. Performing services reasonably expected by the consumer.[3]

  2. Providing goods reasonably expected by the consumer.[4]

  3. Ensuring the security and integrity of the consumer’s information.[5]

  4. Other short term and transient uses (e.g., serving one-time advertisements).[6]

  5. Performing services on behalf of a business.[7]

  6. Product or service improvement.[8]

If a business chooses to use sensitive personal information for something other than one of the purposes described above, the business would be required to provide a notice to consumers that, among other things, informs them that they have a right to opt-out of  such additional uses.[9]  The business would also be required to include a link on its homepage titled “Limit the Use of My Sensitive Personal Information.”[10]

[1] Proposed Section 1798.140(ae).

[2] Proposed Section 1798.121(a); 1798.140(e)(2), (4), (5), (8).

[3] Proposed Section 1798.121(a).

[4] Proposed Section 1798.121(a).

[5] Proposed Section 1798.140(e)(2).

[6] Proposed Section 1798.140(e)(4).

[7] Proposed Section 1798.140(e)(5).

[8] Proposed Section 1798.140(e)(8).

[9] Proposed Section 1798.121(a).

[10] Proposed Section 1798.135(a)(2).

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 297



About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...