By Brinda Bellur, Esq.
•
May 28, 2025
The California Privacy Rights Act (CPRA), which significantly amended the California Consumer Privacy Act (CCPA), has established a robust framework for consumer data privacy. Businesses need to understand the nuances of "personal information" and "sensitive personal information" under CPRA as it is crucial for achieving and maintaining compliance. What is "Personal Information" under CPRA? The CPRA adopts a broad definition of "personal information" (PI), encompassing any information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." This includes, but is not limited to: Identifiers: Real name, alias, postal address, unique personal identifier, online identifier (e.g., IP address, cookie ID), email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. Customer Records Information: Signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Characteristics of Protected Classifications: Under California or federal law (e.g., age, race, religion, gender, sexual orientation). Commercial Information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Biometric Information: Physiological, biological, or behavioral characteristics, including DNA, used or intended to be used, separately or in combination with other data, to establish individual identity (e.g., fingerprints, facial recognition). Internet or Other Electronic Network Activity Information: Browse history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement. Geolocation Data: Information that indicates the precise location of an individual or device. Sensory Data: Audio, electronic, visual, thermal, olfactory, or similar information (e.g., call recordings, CCTV footage). Professional or Employment-Related Information. Inferences: Information drawn from any of the above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. It is important to note that personal information does not include publicly available information from federal, state, or local government records (e.g., professional licenses, public real estate records). What is "Sensitive Personal Information" (SPI) under CPRA? The CPRA introduced a new, more protected category of personal information: Sensitive Personal Information (SPI) . This subset of PI requires heightened safeguards due to its potentially intimate or revealing nature, and consumers have additional rights regarding its use and disclosure. SPI includes personal information that reveals: A consumer's Social Security number, driver's license number, state identification card, or passport number. A consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. A consumer's precise geolocation. A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership. The contents of a consumer's mail, email, and text messages, unless the business is the intended recipient of the communication. A consumer's genetic data. The processing of biometric information for the purpose of uniquely identifying a consumer. Information concerning a consumer's health. Information concerning a consumer's sex life or sexual orientation. Key Differences and Why They Matter for Businesses The distinction between general "personal information" and "sensitive personal information" is critical because the CPRA imposes additional obligations and consumer rights specifically for SPI. Heightened Protection: Businesses handling SPI must implement more robust security measures to protect this data from unauthorized access or disclosure. Right to Limit Use and Disclosure: Consumers have a new right to direct businesses to limit the use and disclosure of their SPI to only those purposes necessary to perform the services or provide the goods reasonably expected by an average consumer. This means businesses generally cannot use or disclose SPI for other purposes, such as cross-context behavioral advertising, without explicit consumer permission. Dedicated Opt-Out Link: Businesses that use or disclose SPI for purposes other than those allowed by the CPRA must provide a "clear and conspicuous link" on their homepage(s) labeled "Limit the Use of My Sensitive Personal Information." This is in addition to the "Do Not Sell or Share My Personal Information" link for general personal information. Notice at Collection: Businesses must clearly disclose the categories of SPI collected, the purposes for which it is collected or used, and whether it is sold or shared. What Businesses Need to Know for CPRA Compliance: To effectively comply with the CPRA, businesses must undertake a comprehensive approach to data privacy, with a particular focus on the differentiated treatment of personal and sensitive information: Data Inventory and Mapping: Identify all types of personal information you collect, store, process, and share. This includes data from customers, employees, job applicants, contractors, and business-to-business (B2B) contacts (as CPRA largely removed previous exemptions for employee and B2B data). Specifically identify and classify any sensitive personal information (SPI) collected. Map how data flows across your organization, including transfers to third parties, service providers, and contractors. Update Privacy Policies and Notices: Clearly disclose the categories of personal information and sensitive personal information collected. State the purposes for which each category of information is collected and used. Specify retention periods for all categories of personal and sensitive information, ensuring data is not kept longer than "reasonably necessary" for the disclosed purpose. Explain consumer rights under CPRA, including the right to know, delete, correct, opt-out of sale/sharing, and limit the use of sensitive personal information. Implement Opt-Out Mechanisms: Provide "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links on your website homepage(s) and other relevant data collection pages. Ensure these links lead to user-friendly pages where consumers can easily exercise their rights. Maintain records of opt-out requests for at least 12 months. Data Minimization and Security: Collect only the personal information and SPI that is absolutely necessary for your disclosed purposes. Implement robust security measures to protect all personal information, with heightened safeguards (e.g., encryption, access controls) for SPI. Develop a comprehensive incident response plan. Respond to Consumer Requests: Establish clear and efficient processes for responding to consumer requests to access, delete, correct, opt-out of sale/sharing, and limit the use of their personal and sensitive information. Ensure timely responses (typically within 45 days, with a possible 45-day extension). Notify service providers, contractors, and third parties to whom data has been shared when a deletion request is received. Third-Party Contracts: Review and update contracts with service providers and third parties to ensure they are also compliant with CPRA obligations, especially regarding data protection and consumer rights. Training: Provide regular training to all employees who handle personal data on CPRA requirements and best practices for data privacy and security. By diligently addressing these areas, businesses can navigate the complexities of CPRA, protect consumer privacy, and mitigate the risks of non-compliance, including significant penalties from the California Privacy Protection Agency (CPPA). For any business operating in California or collecting data from California residents, a proactive and well-informed approach to data privacy is no longer optional, but a legal imperative. Brinda Bellur is a dual-licensed attorney in California and India, with extensive experience in both litigation and transactional matters. She holds an LLM from UC SF Law (formerly UC Hastings) and certifications in privacy (CIPP/US, IAPP) and commercial contracts (UC Berkeley Law Executive Education).