Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

How do CPRA treat sensitive personal information

By Privacy Research Team

Published on August 25, 2022

For businesses globally, personal data is a highly vital asset. Used effectively, personal data can increase a business’s revenues tenfold and ensure it targets users most likely to convert and turn into customers. Thus, it wouldn't be wrong to say that access to personal data has transformed the business world by knowing their customers and potential customers better.

However, there have long been ethical concerns about the scale and scope of personal data available to businesses. Some personal data is more sensitive than the rest - its use must be more strictly curtailed so that individuals are not exploited. This type of data might be about their most sensitive innate characteristics or traits, or it might be information that, in the wrong hands, could lead them to severe loss or harm.

That is one of the several factors that have led countries worldwide to draft data privacy laws that categorize certain types of personal data as sensitive personal data and provide it additional protections.

The California Privacy Rights Act (CPRA) replaces the California Consumer Privacy Act (CCPA), which will come into effect on January 1, 2023. The CPRA guarantees Californian consumers' are adequately protected by introducing a new category of data labeled "sensitive personal information". All data within this category warrants increased protection from businesses collecting, storing, processing, disclosing, and transferring personal information about their consumers.

Read on to learn more about sensitive personal information, including the ideal solution for organizations that want to handle the collection of sensitive personal information:

What is Sensitive Personal Information?

So, what exactly is sensitive personal information? The CCPA defined what constitutes personal information. The CPRA builds on that definition by introducing the sub-category of sensitive personal information. As per the CPRA's definition, personal information that reveals any of the following details about an individual consumer constitutes sensitive personal information:

Government-issued identifiers
- Social Security,
- Driver’s license,
- State identification card, or
- Passport number.
Finances
- Account log-in.
- Financial account combined with any required security or access code, password, or credentials allowing access to an account.
- Debit card or credit card number combined with any required security or access code, password, or credentials.
Geolocation
- a consumer’s precise geolocation, including address, ZIP code, and city.
Race, religion, and union membership
- Racial or ethnic origin,
- Religious or philosophical beliefs, or
- Union membership.
Communications
- The contents of a consumer’s private communications,
- Unless the company is the intended recipient of the communication.
Genetics
- a consumer’s genetic data.
Biometrics
- Biometric information which can uniquely identify a consumer.
Health
- Personal information collected and analyzed concerning a consumer’s health.
Sexual orientation
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This broader definition of the term means that an organization that might be collecting either one of these would now have to comply with the provisions that the CPRA requires them to adhere to.

Obligations Related to Sensitive Personal Information Under the CPRA

Sensitive Personal Information is an entirely new category of data that the CPRA creates. It follows the wisdom that some types of data necessitate increased protection online such as a user's financial or biometric information. This new category of personal information is inspired by the "special categories of personal data" mentioned in the General Data Protection Regulation (GDPR).

The CPRA goes into great detail explaining the duties of businesses that collect consumers’ sensitive personal information. These duties and responsibilities include:

Disclosing to the consumer at or before the point of collection:
- the categories of sensitive personal information to be collected,
- the purposes for which they are being collected,
- whether that information is being sold or shared, and
- the length of time the business intends to retain consumers’ sensitive personal information, including the criteria used to determine that period.
Disclose to the consumer in its privacy notice:
- a list of the categories of sensitive personal information it has collected about consumers in the preceding 12 months,
- a list of the categories of sensitive personal information it has sold or shared about consumers or disclosed for a business purpose in the preceding 12 months,
- the categories of sources from which consumers' sensitive personal information is collected,
- the business or commercial purpose for collecting or selling or sharing consumers' sensitive personal information,
- the categories of third parties to whom the business discloses consumers' sensitive personal information.
Undertake reasonable security procedures and practices appropriate to the nature of the sensitive personal information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure under CPRA;
Make available to consumers two or more designated methods for submitting requests for access, deletion, or correction of sensitive personal information and fulfill their requests within 45 days;
Providing two clear and conspicuous links on the business’s internet homepages, titled:
- “Do Not Sell or Share My Personal Information,” that enables a consumer, or a person authorized by the consumer, to opt out of the sale or sharing of the consumer’s personal information, including his/her sensitive personal information.
- “Limit the Use of My Sensitive Personal Information,” that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer’s sensitive personal information only for the following tasks:
  - Usage which is reasonably necessary to perform the services or provide the goods to an average consumer.
  - Helping to ensure security and integrity.
  - Short-term, transient use, such as for non-personalized advertising based on the consumer’s interaction with the business in real-time - however, it is important to note that consumer’s sensitive personal information cannot be shared with another third party nor used to build profiles or alter the consumer’s experience outside their interaction with the business in real-time.
  - Performing services on behalf of the business, which includes maintenance or servicing of user accounts, providing customer service, processing orders and fulfilling transactions, verifying customer information, processing payments, providing financing, analytic services, storage, or similar services on behalf of the business.
  - To maintain and verify the quality and safety of the products/services offered by the business or to improve/upgrade/enhance the products’ capabilities.
The business is exempt from having to do this if the business allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through a global opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism.
Businesses must notify consumers before using their sensitive personal information or disclosing it to a service provider or contractor for any additional, specified purposes and must inform consumers they have the right to limit the use or disclosure of their sensitive personal information. Consumers may give consent for the use or disclosure of sensitive personal information for additional purposes if they have employed their right to limit the use of their sensitive personal information.
Waiting for at least 12 months before re-requesting the consumer to authorize the sale or sharing of the consumer’s sensitive personal information or the use and disclosure of their sensitive personal information for additional purposes.

Sensitive Data Intelligence: Your First Step to Managing Sensitive Personal Information

Due to just how expansive the definition of sensitive personal information is under the CPRA, businesses are likely to find themselves scrambling to determine whether they collect any such data.

Managing how a business collects, stores secures and maintains sensitive personal information is long and arduous. An automated solution is a critical necessity to ensure that the process is carried out effectively and efficiently.

With Securiti’s Sensitive Data Solution (SDI), an organization can scan its data assets and detect and classify all personal and sensitive personal information. Furthermore, this discovered data can be neatly arranged in a catalog to enable teams to leverage the metadata for security, privacy, and compliance purposes.

SDI uses machine learning and pattern recognition techniques, which aid in identifying personal and sensitive information such as government identifiers, financial, or racial identifiers. It can then categorize them accordingly by importing labels from the Microsoft Security Centre and applying them to Box, NFS, SMB, and other unstructured data assets.

These sensitivity labels are vital in ensuring the enforcement of security policies that prevent any sort of data leaks.

An organization can attach additional metadata to each sensitive file, such as the category of personal data, the purpose of processing, and retention period. Additionally, People Data Graphs enable timely and accurate fulfillment of DSRs, breach notifications, and consent reports.

Lastly, SDI allows an organization to identify data risk hotspots in their environment based on elements such as specific data elements, data locations, and user residencies. These insights can then be used to take any necessary remedial or preventative actions to mitigate or eliminate any security and privacy risks.

How Securiti Can Help

The CPRA, like any other significant privacy regulation, requires organizations to radically overhaul the way they collect users' personal information or sensitive personal information. The sheer volume of data makes it seem an arduous task for any organization unless they opt for robotic automation.

This is where Securiti can prove to be a viable option.

Securiti’s Sensitive Data Intelligence (SDI) is a highly reliable way to initiate an organization’s management of sensitive personal information. With SDI, you can enable Privacy Notice Management to automate your organization’s privacy policy in compliance with the CPRA requirements while giving you hundreds of pre-built templates based on your unique needs.

The automated data mapping solution helps maintain an updated catalog of all data assets and sensitive data, along with metadata such as the purpose of collection, retention period, and other details.

Additionally, you can visualize data maps to gain real-time insights into key data patterns, initiate PIAs, and monitor real-time risks related to your data processing activities.

Request a demo today to see how Securiti's products can aid your CPRA compliance efforts today.