Review your content's performance and reach.

Become your target audience’s go-to resource for today’s hottest topics.

Understand your clients’ strategies and the most pressing issues they are facing.

Keep a step ahead of your key competitors and benchmark against them.

Questions? Please contact [email protected]

The concept of Sensitive Personal Information (SPI) has made its way into new and emerging US privacy laws. The usual challenges associated with a novel privacy obligation certainly apply to Sensitive Personal Information, but differing approaches across state laws and, in particular, California’s right to limit processing of SPI, have further complicated the issue. Although there are no simple answers for organizations trying to address these new obligations and the landscape may continue to shift as states finalize their regulations, certain themes have emerged. Below, we break down the different requirements and potential strategies organizations can consider when tackling compliance.

What Qualifies as Sensitive Personal Information?

Each new and pending US state privacy law includes a definition for SPI. Although there are slight variations across these laws, the term generally includes information about a consumer’s (which in California includes employee, job applicants and contractors as well as B2B contacts):

What Requirements Apply to Sensitive Personal Information?

With the exception of California and Utah, the new US state laws require organizations to obtain affirmative opt-in consent to collect and use SPI. While onerous from a process standpoint, such opt-in requirements are relatively straightforward. At a high level, the key for organizations will be to adopt a mechanism that allows individuals to affirmatively express their consent (i.e., no pre-checked boxes or misleading language) in an explicit, voluntary manner and to also establish a process for proving that consumer consent has been obtained. In practice, the evidentiary step is often addressed by setting up a process by which all consumers must consent prior to providing the relevant information and/or maintaining a digital record/logs of consents.

As opposed to the opt-in requirements discussed above (to which there are no exceptions), the amendments enacted by the California Privacy Rights Act to the California Consumer Privacy Act (collectively, the CPRA) require organizations to provide consumers with the right to limit the use and disclosure of their SPI “to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.” Where required, organizations must provide a “Limit the Use of My Sensitive Personal Information” link on their homepage that consumers can use to exercise this right.

What has been often overlooked about this obligation, however, is that it applies only in certain circumstances as defined by the draft CPRA regulations, which are currently anticipated to be finalized in the second quarter of 2023. More specifically, if an organization uses SPI for one of the purposes set out in Section 7027 of the draft regulations and/or “without the purpose of inferring characteristics about a consumer”, the organization is not obligated to offer this right to limit (although, the organization is still required to obtain opt-in consent for other states, where applicable).

Section 7027 lists the following uses and disclosures as those that do not trigger the right of opt-out, “provided that the use or disclosure is reasonably necessary and proportionate for this purpose:”

The inference exception (No. 8 above) bears particular attention. The language of the CCPA itself would seem to suggest that the right to limit does not apply in any instance in which SPI is not used to make inferences (“Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section….”). However, it is unclear whether this carve out was really intended to be the exception that swallows the rule, particularly because it is included in the list of exceptions to the right to limit in the CPRA regulations, rather than being called out as an overarching exception.

In addition, neither the CPRA itself nor the regulations themselves provide clear guidance regarding what activities would specifically qualify as making an inference. “Inference” or “Infer” is defined as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.” Although this term itself does not define what activities would constitute making an inference, in March of 2022, the California Office of the Attorney General (OAG) did provide some additional guidance on this issue. According to the OAG, the information must be used to create a profile about a consumer, which “rules out situations where a business is using inferences for reasons other than predicting, targeting, or affecting human behavior.” Based on the definition itself and this guidance, it seems reasonable to assume that organizations using SPI for purposes of building or improving profiles about consumers or targeting specific goods or services to them based on their SPI would be required to offer the right to limit, but it is not completely clear what else might get swept into this concept.

As a result of the ambiguity surrounding the inference exception, organizations should apply it with a certain caution and assume that it cannot be applied too broadly until further clarification and/or guidance is provided by the California regulatory authorities.

Like so many requirements, addressing the new requirements for SPI will require time and resources, but breaking it down into specific steps will help make the process more manageable.

Know Your SPI: As with all new requirements, organizations first need to understand whether and when they collect Sensitive Personal Information (noting that in California, these obligations now apply to HR Data (see our related alert available here)). Although many companies would not routinely collect information regarding race or ethnic origin on their website, many would collect account log-in information. Therefore, it is important to thoroughly understand what information is collected from consumers rather than assuming that SPI is not collected.

Understand What’s Happening: In addition to understanding what SPI is collected from consumers, organizations must also understand how it is used to parse out, in particular, whether the California right to limit may be triggered. For example, if health and medical data are used and/or disclosed only to provide the service expected by the consumer, then the organization may still need to obtain consent for the collection of that SPI to meet other state law requirements but not offer the right to limit. In addition, the structure of these consents or authorizations may be different. An authorization under HIPAA has specific elements beyond the statutory definition of consent found in the state laws at issue. Likewise, wiretap statutes in the United States likely will require a different type of consent than, for example, analytics cookies subject to the EU ePrivacy Directive. This practically means that companies should always understand what legal regime applies as this will affect the structure of the consent.

Develop a Compliance Strategy: Once the relevant fact-finding has been concluded, the most critical step in the process is to develop a consolidated compliance strategy for meeting applicable requirements. This could include the need for a strategy for obtaining consent as required by other state laws, if applicable, as well as providing the right to limit or designing the use of SPI to avoid providing a right to limit. In many circumstances, companies will also need to design a process for revoking a previous consent. Where the right to limit does apply, organizations will need to develop a mechanism to segregate or tag SPI for consumers who have exercised this right, so the SPI is only used for the purpose(s) that do not trigger the limitation right. Moreover, if a company is contractually obligated to disclose this SPI to another organization, the agreement should carve out the disclosure of information about consumers who have exercised this right.

While companies could consider implementing different approaches for consumers located in different states, we expect that in the long-run this will be a difficult approach to manage. Moreover, due to the practical difficulties associated with offering the right to limit, we anticipate that many organizations will work to keep their activities with regard to SPI within the bounds of uses that do not trigger this right, but it will be important to monitor uses and disclosures of SPI to make sure that this decision continues to be defensible and also aligns with internal business priorities. Regardless of the approach ultimately adopted, it must be something that companies can actually implement and maintain evidence of across consumer data collections, uses and disclosures.

Be Ready to Adjust: As discussed above, none of the states that has enacted new privacy laws has finalized its regulations and/or provided meaningful guidance on how companies should address the numerous new requirements emerging from these laws. Therefore, organizations need to be ready to adjust their strategies as the legal landscape and their own practices evolve. In the meantime, it is critical to get started working through these thorny issues.

If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected] .

© Copyright 2006 - 2023 Law Business Research