At a glance
Sensitive personal information (SPI) is a category of data that appears in both the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA).
Though there's overlap between these laws, they do differ in terms of definitions, opt-in/out-out approach, and data protection assessments.
With enforcement dates for CPRA and VCDPA coming up soon (July 1, 2023), businesses need to make sure they’re compliant when it comes to processing sensitive personal information.
Table of contents
Sensitive Personal Information in Virginia
Definition
The VCDPA defines sensitive personal information as a “category of personal data” that reveals details about a person’s:
Race
Ethnic origin
Physical or mental health
Religious beliefs
Citizenship or immigration status
Sexual orientation
Genetic or biometric data
Precise location
This category also includes any data collected on a “known child.”
The VCDPA and CPRA do differ in how they define sensitive personal information, specifically in terms of the types of data they protect—but we’ll cover that in more detail below.
Requirements for businesses
Under the Virginia CDPA, businesses must ask for a consumer’s consent before processing sensitive data. This stands in contrast to the CPRA, which takes an opt-out approach.
Businesses also need to conduct a data protection assessment before processing SPI, including details about:
The risks and benefits associated with the data processing
How the business will employ safeguards to mitigate those risks
Whether the business plans to use de-identified data
How the business will manage consumer expectations about the data processing
CPRA Sensitive Personal Information
To understand how the CPRA approaches SPI, we’ll look at the definitions for both sensitive personal information and personal information—a distinction that may seem small, but is actually pretty important when it comes to CPRA compliance.
Personal Information
Under CPRA, personal information is:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Essentially, it’s any data that might identify an individual or household, including someone’s:
Name
Home address
Account name
IP address
Email address
Passport number
Purchase history
Driver's license number
Social security number
Biometric data
Location data
Employment data
Browsing or search history
Personal information can also include inferences a company makes using any of the data above.
One thing to note is that personal information doesn’t include “de-identified” data—meaning data that’s had all the identifying aspects removed. To count as de-identified, the business must have safeguards in place to prevent re-identification down the line.
Sensitive personal information
Sensitive personal information was not originally part of California’s privacy laws i.e. the California Consumer Privacy Act (CCPA).
The concept of SPI was added with the CPRA, building on the concept of personal information defined within the CCPA. According to the California Privacy Rights Act, SPI includes:
Driver’s license number
Social security number
Passport numbers
Credit and debit card numbers
Log-in information for financial accounts
Data on a consumer’s religion, ethnicity, or race
Geolocation data
Biometric and genetic data
Data about a consumer's sexual orientation or health
A consumer's mail, email, or texts
How can a business use SPI
The goal of the CPRA Final Regulations is to give consumers the ability to limit the use and disclosure of SPI to certain purposes. If a business uses or discloses for purposes other than those outlined in the regulations, they must offer the ability to submit an opt-out request to restrict the useage. The purposes listed in the regulations are to:
Provide a good or service in line with the consumer’s expectations
Identify a security incident
Inhibit “malicious, deceptive, fraudulent, or illegal actions directed at the business”
Ensure someone’s physical safety
Display short-term “nonpersonalized advertising”
Provide services like account maintenance or customer service
“Verify or maintain the quality or safety of a product, service, or device ”
Use SPI in a manner "where the collection or processing is not for the purpose of inferring characteristics about a consumer"
You can find more details about these scenarios at section § 7027(m) of the Final Regulations.
VCDPA vs CPRA: Sensitive personal information
When it comes to sensitive personal information, there are a few ways that the VCDPA and CPRA differ: definitions, opt-out vs. opt-in approach, and data protection assessments.
Definitions
Though there’s quite a bit of overlap between both bills on the general definition of SPI, the specific data types they cover are different.
CPRA doesn’t cover:
Citizenship or immigration status
Data from a “known child”
And the VCDPA doesn’t cover:
Certain types of financial data
Data about a consumer’s sex life
Union membership
Government-issued ID
A consumer's email, mail, or texts
Opt-in vs. Opt-in
CPRA takes an opt-out approach to SPI. This means a business may use and disclose SPI without prior consent, but must give consumers a clear way to opt-out if the processing activities extend beyond the specific purposes outlined in the regulations.
On the other hand, VCDPA requires opt-in consent—meaning the business cannot process SPI without first getting a consumer’s consent.
Data protection assessments
In addition to obtaining consumer consent, businesses under the Virginia CDPA must also conduct data protection assessments prior to processing SPI. These assessments need to include information on:
The risks and benefits of the data processing
When and how the business might use de-identified data
Consumer expectations about the data processing
The context of the processing
The relationship between the business and consumer
The VCDPA also states that data protection assessments must consider how the business's actions fit in with the other requirements laid out by the law, specifically:
Limiting data collection to what’s “adequate, relevant and necessary”
Obtaining consent before processing SPI
Ensuring personal data is protected and secure
Providing a privacy notice
Though the CPRA doesn’t require businesses to conduct data protection assessments, it does state that businesses must conduct regular risk assessments if their data processing “presents significant risk to consumers' privacy or security.”
The risk assessment must disclose, among other things, whether a business is processing sensitive personal information. Similar to a data protection assessment, it must weigh the risks and benefits of the data processing.
The onus for overseeing these risk assessments rests with the California Privacy Protection Agency (CPPA) and, though many believed the Draft Regulations would provide greater clarity on this requirement, there has yet to be further CPPA rulemaking on this topic.
About Transcend
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.
References
Virginia Data Privacy Law Requires Opt-In For Sensitive Personal Data
Chapter 53. Consumer Data Protection Act
How do the CPRA, CPA & VCDPA treat sensitive personal information?
How do the CPRA, CPA & VCDPA approach data protection assessments?
Tags
