Skip to content

The California Privacy Rights Act of 2020 (the “CPRA” or “Proposition 24”) labels 20 data fields as constituting “sensitive personal information.” [1]  If Proposition 24 is enacted businesses would be permitted to use sensitive personal information for one of the following purposes:[2]

  1. Performing services reasonably expected by the consumer.[3]
  2. Providing goods reasonably expected by the consumer.[4]
  3. Ensuring the security and integrity of the consumer’s information.[5]
  4. Other short term and transient uses (e.g., serving one-time advertisements).[6]
  5. Performing services on behalf of a business.[7]
  6. Product or service improvement.[8]

If a business chooses to use sensitive personal information for something other than one of the purposes described above, the business would be required to provide a notice to consumers that, among other things, informs them that they have a right to opt-out of  such additional uses.[9]  The business would also be required to include a link on its homepage titled “Limit the Use of My Sensitive Personal Information.”[10]

[1] Proposed Section 1798.140(ae).

[2] Proposed Section 1798.121(a); 1798.140(e)(2), (4), (5), (8).

[3] Proposed Section 1798.121(a).

[4] Proposed Section 1798.121(a).

[5] Proposed Section 1798.140(e)(2).

[6] Proposed Section 1798.140(e)(4).

[7] Proposed Section 1798.140(e)(5).

[8] Proposed Section 1798.140(e)(8).

[9] Proposed Section 1798.121(a).

[10] Proposed Section 1798.135(a)(2).