Organizations that are working towards compliance with US state privacy laws will know the complexities of navigating data discovery and mapping exercises, privacy impact assessment requirements, responding to privacy rights requests, and respecting opt-out of sale from previous installments of this blog series. In the fifth part of this six-part series, we look at some of the similarities and differences between the requirements for collecting, using, and disclosing sensitive personal information. 

One initial difference to note is the way that this type of information is referred to across different states. Firstly, the California Consumer Privacy Act (CCPA) refers to sensitive personal information but does not explicitly define it in its text. The term sensitive personal information is defined by the California Privacy Rights Act (CPRA), which passed in November 2020. However, the term sensitive data is used by both the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA). For this blog, we will refer to both sensitive personal information and sensitive data as ‘SPI’. 

There are several other differences between the CPRA, CDPA, and CPA – from what information is included in the definitions of SPI outlined by each law, to how to handle it, and what rights consumers have concerning their SPI. 

What is Sensitive Personal Information?

Certain types of personal information under the CPRA, CDPA, and CPA fall into a separate category of protected information known as sensitive personal information or sensitive data (SPI). Typically, types of SPI have stricter rules for collection and usage, and organizations that process SPI must take careful steps to ensure they are handling it within the boundaries of the law. One of the big challenges of remaining compliant with US state privacy laws is understanding what information is classed as SPI under each law. 

SPI can include such information as biometric information, political opinions, information related to sex life or sexual orientation, and philosophical beliefs. There are some characteristics such as race, ethnic origin, religious beliefs, and genetic data that are consistently classified as SPI under the CPRA, CDPA, and CPA.  

As we’ve seen with other requirements of US state privacy laws, the CDPA and CPA are largely similar in their approach. However, even the CDPA and CPA have some distinct differences when it comes to classifying what information falls in the category of SPI that needs to be considered. For instance, the CDPA includes precise geolocation as SPI, whereas the CPA does not. There are also differences relating to healthcare data and what health-related information is considered SPI. In this case, the CDPA considers the diagnosis of a medical condition as SPI whereas the CPA relies on Title 45 of the Code of Federal Regulations (45 CFR § 160.103) to define protected health information. 

Unlike the CDPA and CPA, the CPRA also considers a broad selection of personal information as SPI. This includes information such as social security numbers, government identification numbers, trade union membership, and financial account information.  

What Are the Operational Differences for Handling Sensitive Personal Information?

Once you understand what type of information is classified as SPI, you can begin to apply the correct operational policies for collecting and using the information. 

The first notable comparison is the conditions for using SPI that are highlighted under the CPRA, CDPA, and CPA. Again, the CPRA takes a different approach to both the CDPA and the CPA by allowing organizations to operate on an opt-out basis, meaning they can collect and use SPI until instructed not to by the consumer. The CDPA and CPA on the other hand operate on an opt-in basis, requiring organizations to obtain explicit consent before collecting and using SPI. 

Each law also has specific requirements related to the collection and usage of SPI. For example, the CPRA grants consumers the right to limit the use of their SPI. As such, organizations that process SPI must provide a public-facing privacy notice informing consumers of their rights, among other things. Organizations are also required to provide a clear and conspicuous link on internet homepages, titled ‘Limit the Use of My Sensitive Personal Information,’ to allow consumers to exercise this right. 

The CDPA requires data controllers to obtain affirmative consent from the consumer before processing SPI. A consent requirement is also seen under the CPA which requires data controllers to obtain ‘freely given, specific, informed, and unambiguous’ consent to process SPI. The CDPA, however, also requires data controllers who process SPI to conduct a privacy risk assessment before processing. 

Unexpected Compliance Challenges of Sensitive Personal Information

As requirements for processing SPI are more stringent than processing personal information, it is vital to have a comprehensive understanding of what data you have and how it is classified. In this case, the vast amount of unstructured data that is held by organizations can cause problems for compliance with US state laws. SPI can be found in all types of unstructured data including emails, video files, and open text notes which can be difficult to find and therefore have the potential to be subject to unauthorized access. 

When organizations are unaware of the SPI that they have, they are unable to apply appropriate protections and policies to it, leaving the information potentially vulnerable and in violation of US state privacy laws. Therefore, organizations should conduct data discovery exercises that include comprehensive scanning of unstructured data sources to ensure they have a clear picture of what data is in their possession. Following the data discovery exercise organizations should catalog this data in a centralized inventory where personally identifiable information (PII) and SPI can be classified appropriately, and the correct information security safeguards and data governance policies applied. 

OneTrust can help organizations automatically discover SPI from unstructured data sources as well as tagging and classifying data in a central data inventory. OneTrust can intelligently apply state law-specific policies to data and can help to track the use of sensitive personal information throughout its lifecycle, document opt-in consent for the CDPA and CPA, and limit processing upon request for the CPRA. 

Trust Intelligence Platform