How do CPRA treat sensitive personal information

For businesses globally, personal data is a highly vital asset. Used effectively, personal data can increase a business’s revenues tenfold and ensure it targets users most likely to convert and turn into customers. Thus, it wouldn't be wrong to say that access to personal data has transformed the business world by knowing their customers and potential customers better.

However, there have long been ethical concerns about the scale and scope of personal data available to businesses. Some personal data is more sensitive than the rest - its use must be more strictly curtailed so that individuals are not exploited. This type of data might be about their most sensitive innate characteristics or traits, or it might be information that, in the wrong hands, could lead them to severe loss or harm.

That is one of the several factors that have led countries worldwide to draft data privacy laws that categorize certain types of personal data as sensitive personal data and provide it additional protections.

The California Privacy Rights Act (CPRA) replaces the California Consumer Privacy Act (CCPA), which will come into effect on January 1, 2023. The CPRA guarantees Californian consumers' are adequately protected by introducing a new category of data labeled "sensitive personal information". All data within this category warrants increased protection from businesses collecting, storing, processing, disclosing, and transferring personal information about their consumers.

Read on to learn more about sensitive personal information, including the ideal solution for organizations that want to handle the collection of sensitive personal information:

What is Sensitive Personal Information?

So, what exactly is sensitive personal information? The CCPA defined what constitutes personal information. The CPRA builds on that definition by introducing the sub-category of sensitive personal information. As per the CPRA's definition, personal information that reveals any of the following details about an individual consumer constitutes sensitive personal information:

• Government-issued identifiers
  • Social Security,
  • Driver’s license,
  • State identification card, or
  • Passport number.
• Finances
  • Account log-in.
  • Financial account combined with any required security or access code, password, or credentials allowing access to an account.
  • Debit card or credit card number combined with any required security or access code, password, or credentials.
• Geolocation
  • a consumer’s precise geolocation, including address, ZIP code, and city.
• Race, religion, and union membership
  • Racial or ethnic origin,
  • Citizenship or immigration status,
  • Religious or philosophical beliefs, or
  • Union membership.
• Communications
  • The contents of a consumer’s private communications,
  • Unless the company is the intended recipient of the communication.
• Genetics
  • a consumer’s genetic data.
• Biometrics
  • Biometric information which can uniquely identify a consumer.
• Health
  • Personal information collected and analyzed concerning a consumer’s health.
• Sexual orientation
  • Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This broader definition of the term means that an organization that might be collecting either one of these would now have to comply with the provisions that the CPRA requires them to adhere to.

Obligations Related to Sensitive Personal Information Under the CPRA

Sensitive Personal Information is an entirely new category of data that the CPRA creates. It follows the wisdom that some types of data necessitate increased protection online such as a user's financial or biometric information. This new category of personal information is inspired by the "special categories of personal data" mentioned in the General Data Protection Regulation (GDPR).

The CPRA goes into great detail explaining the duties of businesses that collect consumers’ sensitive personal information. These duties and responsibilities include:

• Disclosing to the consumer at or before the point of collection:
  • the categories of sensitive personal information to be collected,
  • the purposes for which they are being collected,
  • whether that information is being sold or shared, and
  • the length of time the business intends to retain consumers’ sensitive personal information, including the criteria used to determine that period.
• Disclose to the consumer in its privacy notice:
  • a list of the categories of sensitive personal information it has collected about consumers in the preceding 12 months,
  • a list of the categories of sensitive personal information it has sold or shared about consumers or disclosed for a business purpose in the preceding 12 months,
  • the categories of sources from which consumers' sensitive personal information is collected,
  • the business or commercial purpose for collecting or selling or sharing consumers' sensitive personal information,
  • the categories of third parties to whom the business discloses consumers' sensitive personal information.
• Undertake reasonable security procedures and practices appropriate to the nature of the sensitive personal information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure under CPRA;
• Make available to consumers two or more designated methods for submitting requests for access, deletion, or correction of sensitive personal information and fulfill their requests within 45 days;
• Providing two clear and conspicuous links on the business’s internet homepages, titled:
  • “Do Not Sell or Share My Personal Information,” that enables a consumer, or a person authorized by the consumer, to opt out of the sale or sharing of the consumer’s personal information, including his/her sensitive personal information.
  • “Limit the Use of My Sensitive Personal Information,” that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer’s sensitive personal information only for the following tasks:
    • Usage which is reasonably necessary to perform the services or provide the goods to an average consumer.
    • Helping to ensure security and integrity.
    • Short-term, transient use, such as for non-personalized advertising based on the consumer’s interaction with the business in real-time - however, it is important to note that consumer’s sensitive personal information cannot be shared with another third party nor used to build profiles or alter the consumer’s experience outside their interaction with the business in real-time.
    • Performing services on behalf of the business, which includes maintenance or servicing of user accounts, providing customer service, processing orders and fulfilling transactions, verifying customer information, processing payments, providing financing, analytic services, storage, or similar services on behalf of the business.
    • To maintain and verify the quality and safety of the products/services offered by the business or to improve/upgrade/enhance the products’ capabilities.
• The business is exempt from having to do this if the business allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through a global opt-out preference signal sent with the consumer’s consent by a platform, technology, or mechanism.
• Businesses must notify consumers before using their sensitive personal information or disclosing it to a service provider or contractor for any additional, specified purposes and must inform consumers they have the right to limit the use or disclosure of their sensitive personal information. Consumers may give consent for the use or disclosure of sensitive personal information for additional purposes if they have employed their right to limit the use of their sensitive personal information.
• Waiting for at least 12 months before re-requesting the consumer to authorize the sale or sharing of the consumer’s sensitive personal information or the use and disclosure of their sensitive personal information for additional purposes.

Sensitive Data Intelligence: Your First Step to Managing Sensitive Personal Information

Due to just how expansive the definition of sensitive personal information is under the CPRA, businesses are likely to find themselves scrambling to determine whether they collect any such data.

Managing how a business collects, stores secures and maintains sensitive personal information is long and arduous. An automated solution is a critical necessity to ensure that the process is carried out effectively and efficiently.

With Securiti’s Sensitive Data Solution (SDI), an organization can scan its data assets and detect and classify all personal and sensitive personal information. Furthermore, this discovered data can be neatly arranged in a catalog to enable teams to leverage the metadata for security, privacy, and compliance purposes.

SDI uses machine learning and pattern recognition techniques, which aid in identifying personal and sensitive information such as government identifiers, financial, or racial identifiers. It can then categorize them accordingly by importing labels from the Microsoft Security Centre and applying them to Box, NFS, SMB, and other unstructured data assets.

These sensitivity labels are vital in ensuring the enforcement of security policies that prevent any sort of data leaks.

An organization can attach additional metadata to each sensitive file, such as the category of personal data, the purpose of processing, and retention period. Additionally, People Data Graphs enable timely and accurate fulfillment of DSRs, breach notifications, and consent reports.

Lastly, SDI allows an organization to identify data risk hotspots in their environment based on elements such as specific data elements, data locations, and user residencies. These insights can then be used to take any necessary remedial or preventative actions to mitigate or eliminate any security and privacy risks.

How Securiti Can Help

The CPRA, like any other significant privacy regulation, requires organizations to radically overhaul the way they collect users' personal information or sensitive personal information. The sheer volume of data makes it seem an arduous task for any organization unless they opt for robotic automation.

This is where Securiti can prove to be a viable option.

Securiti’s Sensitive Data Intelligence (SDI) is a highly reliable way to initiate an organization’s management of sensitive personal information. With SDI, you can enable Privacy Notice Management to automate your organization’s privacy policy in compliance with the CPRA requirements while giving you hundreds of pre-built templates based on your unique needs.

The automated data mapping solution helps maintain an updated catalog of all data assets and sensitive data, along with metadata such as the purpose of collection, retention period, and other details.

Additionally, you can visualize data maps to gain real-time insights into key data patterns, initiate PIAs, and monitor real-time risks related to your data processing activities.

Request a demo today to see how Securiti's products can aid your CPRA compliance efforts today.