The California Privacy Rights Act of 2020 (the “CPRA” or “Proposition 24”) labels 20 data fields as constituting “sensitive personal information.” [1] If Proposition 24 is enacted businesses would be permitted to use sensitive personal information for one of the following purposes:[2]
- Performing services reasonably expected by the consumer.[3]
- Providing goods reasonably expected by the consumer.[4]
- Ensuring the security and integrity of the consumer’s information.[5]
- Other short term and transient uses (e.g., serving one-time advertisements).[6]
- Performing services on behalf of a business.[7]
- Product or service improvement.[8]
If a business chooses to use sensitive personal information for something other than one of the purposes described above, the business would be required to provide a notice to consumers that, among other things, informs them that they have a right to opt-out of such additional uses.[9] The business would also be required to include a link on its homepage titled “Limit the Use of My Sensitive Personal Information.”[10]
[1] Proposed Section 1798.140(ae).
[2] Proposed Section 1798.121(a); 1798.140(e)(2), (4), (5), (8).
[3] Proposed Section 1798.121(a).
[4] Proposed Section 1798.121(a).
[5] Proposed Section 1798.140(e)(2).
[6] Proposed Section 1798.140(e)(4).
[7] Proposed Section 1798.140(e)(5).
[8] Proposed Section 1798.140(e)(8).
[9] Proposed Section 1798.121(a).
[10] Proposed Section 1798.135(a)(2).