Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).
1. Right to Restrict Use of Sensitive Data
Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”
As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.
If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.
To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.
2. Right to Opt-Out of Cross-Context Behavioral Advertising
The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.
