Senior Content Marketing Manager
March 31, 2023•5 min read
The VCDPA defines sensitive personal information as a “category of personal data” that reveals details about a person’s:
This category also includes any data collected on a “known child.”
The VCDPA and CPRA do differ in how they define sensitive personal information, specifically in terms of the types of data they protect—but we’ll cover that in more detail below.
Under the Virginia CDPA, businesses must ask for a consumer’s consent before processing sensitive data. This stands in contrast to the CPRA, which takes an opt-out approach.
Businesses also need to conduct a data protection assessment before processing SPI, including details about:
To understand how the CPRA approaches SPI, we’ll look at the definitions for both sensitive personal information and personal information—a distinction that may seem small, but is actually pretty important when it comes to CPRA compliance.
Under CPRA, personal information is:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Essentially, it’s any data that might identify an individual or household, including someone’s:
Personal information can also include inferences a company makes using any of the data above.
One thing to note is that personal information doesn’t include “de-identified” data—meaning data that’s had all the identifying aspects removed. To count as de-identified, the business must have safeguards in place to prevent re-identification down the line.
Sensitive personal information was not originally part of California’s privacy laws i.e. the California Consumer Privacy Act (CCPA).
The concept of SPI was added with the CPRA, building on the concept of personal information defined within the CCPA. According to the California Privacy Rights Act, SPI includes:
The goal of the CPRA Final Regulations is to give consumers the ability to limit the use and disclosure of SPI to certain purposes. If a business uses or discloses for purposes other than those outlined in the regulations, they must offer the ability to submit an opt-out request to restrict the useage. The purposes listed in the regulations are to:
You can find more details about these scenarios at section § 7027(m) of the Final Regulations.
When it comes to sensitive personal information, there are a few ways that the VCDPA and CPRA differ: definitions, opt-out vs. opt-in approach, and data protection assessments.
Though there’s quite a bit of overlap between both bills on the general definition of SPI, the specific data types they cover are different.
CPRA doesn’t cover:
And the VCDPA doesn’t cover:
CPRA takes an opt-out approach to SPI. This means a business may use and disclose SPI without prior consent, but must give consumers a clear way to opt-out if the processing activities extend beyond the specific purposes outlined in the regulations.
On the other hand, VCDPA requires opt-in consent—meaning the business cannot process SPI without first getting a consumer’s consent.
In addition to obtaining consumer consent, businesses under the Virginia CDPA must also conduct data protection assessments prior to processing SPI. These assessments need to include information on:
The VCDPA also states that data protection assessments must consider how the business's actions fit in with the other requirements laid out by the law, specifically:
Though the CPRA doesn’t require businesses to conduct data protection assessments, it does state that businesses must conduct regular risk assessments if their data processing “presents significant risk to consumers' privacy or security.”
The risk assessment must disclose, among other things, whether a business is processing sensitive personal information. Similar to a data protection assessment, it must weigh the risks and benefits of the data processing.
The onus for overseeing these risk assessments rests with the California Privacy Protection Agency (CPPA) and, though many believed the Draft Regulations would provide greater clarity on this requirement, there has yet to be further CPPA rulemaking on this topic.
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.
Virginia Data Privacy Law Requires Opt-In For Sensitive Personal Data
Chapter 53. Consumer Data Protection Act
How do the CPRA, CPA & VCDPA treat sensitive personal information?
How do the CPRA, CPA & VCDPA approach data protection assessments?
Senior Content Marketing Manager