Understanding Sensitive Personal Information: A Comprehensive Guide

• Sensitive personal information (SPI) is a category of data that appears in both the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). 

• Though there's overlap between these laws, they do differ in terms of definitions, opt-in/out-out approach, and data protection assessments. 

• With enforcement dates for CPRA and VCDPA coming up soon (July 1, 2023), businesses need to make sure they’re compliant when it comes to processing sensitive personal information.

• Sensitive personal information under VCDPA

• Sensitive personal information under CPRA

• How VCDPA and CPRA differ on SPI

The VCDPA defines sensitive personal information as a “category of personal data” that reveals details about a person’s:

• Race

• Ethnic origin

• Physical or mental health

• Religious beliefs

• Citizenship or immigration status

• Sexual orientation

• Genetic or biometric data

• Precise location

This category also includes any data collected on a “known child.”

The VCDPA and CPRA do differ in how they define sensitive personal information, specifically in terms of the types of data they protect—but we’ll cover that in more detail below. 

Under the Virginia CDPA, businesses must ask for a consumer’s consent before processing sensitive data. This stands in contrast to the CPRA, which takes an opt-out approach. 

Businesses also need to conduct a data protection assessment before processing SPI, including details about:

• The risks and benefits associated with the data processing

• How the business will employ safeguards to mitigate those risks

• Whether the business plans to use de-identified data

• How the business will manage consumer expectations about the data processing

To understand how the CPRA approaches SPI, we’ll look at the definitions for both sensitive personal information and personal information—a distinction that may seem small, but is actually pretty important when it comes to CPRA compliance.

Under CPRA, personal information is: 

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Essentially, it’s any data that might identify an individual or household, including someone’s: 

• Name

• Home address

• Account name

• IP address

• Email address

• Passport number

• Purchase history

• Driver's license number

• Social security number

• Biometric data

• Location data

• Employment data

• Browsing or search history

Personal information can also include inferences a company makes using any of the data above.

One thing to note is that personal information doesn’t include “de-identified” data—meaning data that’s had all the identifying aspects removed. To count as de-identified, the business must have safeguards in place to prevent re-identification down the line.

Sensitive personal information was not originally part of California’s privacy laws i.e. the California Consumer Privacy Act (CCPA). 

The concept of SPI was added with the CPRA, building on the concept of personal information defined within the CCPA. According to the California Privacy Rights Act, SPI includes: 

• Driver’s license number

• Social security number

• Passport numbers

• Credit and debit card numbers

• Log-in information for financial accounts

• Data on a consumer’s religion, ethnicity, or race

• Geolocation data

• Biometric and genetic data

• Data about a consumer's sexual orientation or health

• A consumer's mail, email, or texts

The goal of the CPRA Final Regulations is to give consumers the ability to limit the use and disclosure of SPI to certain purposes. If a business uses or discloses for purposes other than those outlined in the regulations, they must offer the ability to submit an opt-out request to restrict the useage. The purposes listed in the regulations are to: 

1. Provide a good or service in line with the consumer’s expectations

2. Identify a security incident

3. Inhibit “malicious, deceptive, fraudulent, or illegal actions directed at the business” 

4. Ensure someone’s physical safety

5. Display short-term “nonpersonalized advertising”

6. Provide services like account maintenance or customer service

7. “Verify or maintain the quality or safety of a product, service, or device ” 

8. Use SPI in a manner "where the collection or processing is not for the purpose of inferring characteristics about a consumer"

You can find more details about these scenarios at section § 7027(m) of the Final Regulations.

When it comes to sensitive personal information, there are a few ways that the VCDPA and CPRA differ: definitions, opt-out vs. opt-in approach, and data protection assessments. 

Though there’s quite a bit of overlap between both bills on the general definition of SPI, the specific data types they cover are different. 

CPRA doesn’t cover: 

• Citizenship or immigration status

• Data from a “known child”

And the VCDPA doesn’t cover: 

• Certain types of financial data

• Data about a consumer’s sex life

• Union membership

• Government-issued ID

• A consumer's email, mail, or texts

CPRA takes an opt-out approach to SPI. This means a business may use and disclose SPI without prior consent, but must give consumers a clear way to opt-out if the processing activities extend beyond the specific purposes outlined in the regulations. 

On the other hand, VCDPA requires opt-in consent—meaning the business cannot process SPI without first getting a consumer’s consent. 

In addition to obtaining consumer consent, businesses under the Virginia CDPA must also conduct data protection assessments prior to processing SPI. These assessments need to include information on: 

• The risks and benefits of the data processing

• When and how the business might use de-identified data

• Consumer expectations about the data processing

• The context of the processing

• The relationship between the business and consumer

The VCDPA also states that data protection assessments must consider how the business's actions fit in with the other requirements laid out by the law, specifically: 

• Limiting data collection to what’s “adequate, relevant and necessary”

• Obtaining consent before processing SPI

• Ensuring personal data is protected and secure

• Providing a privacy notice

Though the CPRA doesn’t require businesses to conduct data protection assessments, it does state that businesses must conduct regular risk assessments if their data processing “presents significant risk to consumers' privacy or security.”

The risk assessment must disclose, among other things, whether a business is processing sensitive personal information. Similar to a data protection assessment, it must weigh the risks and benefits of the data processing. 

The onus for overseeing these risk assessments rests with the California Privacy Protection Agency (CPPA) and, though many believed the Draft Regulations would provide greater clarity on this requirement, there has yet to be further CPPA rulemaking on this topic. 

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

Virginia Data Privacy Law Requires Opt-In For Sensitive Personal Data

Chapter 53. Consumer Data Protection Act

How do the CPRA, CPA & VCDPA treat sensitive personal information?

How do the CPRA, CPA & VCDPA approach data protection assessments?

VCDPA: Preparing for 2023 enforcement