Contact us Today!

Handling Sensitive Personal Information under the CPRA and the VCDPA

Sensitive Personal Information under the CPRA and the VCDPA

The recently passed California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”) introduce a concept of “sensitive personal information” into the U.S. privacy law – the notion that certain personal data requires a special degree of protection given its sensitive personal nature and the potential for discrimination and other harm to an individual in the event of its unauthorized use or disclosure.

The CPRA and the VCDPA, however, take different approaches to regulation of such information and would require companies to develop distinct processes to comply with the statutory requirements in two jurisdictions.


Sensitive Personal Information under the CPRA

The CPRA defines “sensitive personal information” as personal information that reveals (a) consumer’s Social Security or other state identification number; (b) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) consumer’s geolocation; (d) consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer’s mail, email, or text messages, unless the business is the intended recipient of the communication; and (f) consumer’s genetic data.

In addition, “sensitive personal information” includes processing of biometric information for purposes of identifying a consumer; personal information collected and analyzed concerning a consumer’s health, and personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

Notably, with the exception of political opinions, “sensitive personal information” under the CPRA includes and expands upon the “special categories of personal data” listed in the GDPR.  Under the GDPR, however, the processing of special categories is prohibited by default and the burden is on controllers to show that processing is permitted by virtue of one of the enumerated exceptions, including express consent.

In contrast, under the CPRA, the burden falls on the consumers to limit processing to certain activities. Specifically, consumers have a right to limit use and disclosure of sensitive personal information to certain enumerated “business purposes,” such as helping to ensure data security and integrity, non-personalized advertising, performing services on behalf of the business, or undertaking activities to verify and maintain or enhance the service or device owned or controlled by the business.  Service providers and contractors will similarly be required to limit the use of sensitive personal information to the “business purposes” which they help perform for the businesses.

The CPRA further prescribes several methods by which businesses would be required to enable consumers to limit the use and disclosure of sensitive personal information: (1) by providing a link on their homepage titled “Limit the Use of My Sensitive Personal Information,” (2) by utilizing a single link which would easily allow consumers to limit the use of their sensitive personal information and to opt-out of the sale and sharing of their personal information; or (3) by complying with the automatic opt-out preference signal.


Sensitive Data under the VCDPA 

Under the VCDPA, “sensitive data” includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, or citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a natural person; personal data from a known child; or specific geolocation data.

The VCDPA provides that controllers are not be permitted to collect or process sensitive data without obtaining consumer’s consent, or in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children’s Online Privacy Protection Act.  Unlike the GDPR, which provides limited basis for processing special categories of personal data in addition to express consent, consent appears to be the only basis for processing sensitive data under the Virginia law.

Consent under the VCDPA, in turn, will require a clear, affirmative act signifying consumer’s freely given, specific, informed, and unambiguous agreement to process personal data related to the consumer.


Automatic Data Mapping: Your First Step to Managing Sensitive Personal Information

Before you can successfully manage sensitive personal information in your company, you need to know whether and what sensitive data your company collects, uses, stores, and shares within and outside your organization.

Automated data mapping using software such as Clarip’s data mapping software tools, will allow your organization to scan its electronic systems, website, and internal servers and storage to determine what data it collects and transfers within and outside the organization. Automatic approach is usually more efficient and less expensive than manual data mapping still used by many companies.  Furthermore, the sheer volume of data processed by modern organizations would most likely require at least some degree of data mapping automation to manage sensitive personal information in compliance with the CPRA and the VCDPA requirements.

To schedule a demo today, click here or call Clarip today at 1-888-252-5653.

Access Clarip’s Privacy Whitepapers Today


Privacy News
Clarip Blog

What Your Company Needs to Know About Regulations of Biometric Data
Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
Responding to Personal Data Deletion Requests Under the California Consumer Privacy Act
Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
Verifiable Data Subject Requests under the GDPR and the CCPA
Other Resources

California Consumer Privacy Act
CCPA Summary
CCPA Privacy Software
CCPA Webinar
SB-1121 Amendments

GDPR Compliance
Consent Management Software
GDPR Data Mapping Software
DSAR Portal