CCPA: Sensitive Personal Information
Sensitive Personal Information [§ 1798.121, 140(ae)]
Rule: Sensitive personal information (SPI) has enhanced protections under CPRA. Businesses must either get opt-in consent or provide consumers the right to limit its use.
What Is Sensitive Personal Information? [§ 1798.140(ae)]
| Category | Examples |
|---|---|
| Government IDs | Social Security number, driver’s license, state ID, passport number |
| Financial account | Account log-in, financial account number, debit card, credit card + any required access code/credentials |
| Precise geolocation | Location derived within radius of 1,850 feet (GPS-level) |
| Race/ethnicity | Racial or ethnic origin |
| Religion | Religious or philosophical beliefs |
| Union membership | Trade union membership |
| Genetic data | Genetic data |
| Biometric data | Processing biometric information for unique identification |
| Health | Information concerning health |
| Sex life/orientation | Information concerning sex life or sexual orientation |
| Communications content | Contents of mail, email, text messages (unless business is intended recipient) |
Consumer Right to Limit Use [§ 1798.121]
Consumers can direct businesses to limit use and disclosure of SPI to:
| Permitted Purpose | Description |
|---|---|
| Provide goods/services | Use necessary to perform services requested |
| Security | Prevent, detect, respond to security incidents |
| Resist malicious actions | Protect against fraud, illegal activity |
| Ensure safety | Physical safety of individuals |
| Short-term use | Transient use without profiling |
| Internal services | Services performed for the business |
| Verify/maintain quality | Quality/safety verification |
”Limit Use” Link Requirement [§ 1798.135(a)]
If collecting SPI for purposes beyond those listed above, must provide link:
- “Limit the Use of My Sensitive Personal Information”
- Or alternative opt-out preference link with icon
Exceptions — No “Limit Use” Required
No right to limit if SPI is:
- Collected/processed WITHOUT purpose of inferring characteristics
- Used only for permitted purposes above
Sensitive Data vs. Regular PI — Comparison
| Aspect | Regular PI | Sensitive PI |
|---|---|---|
| Default consent | Can collect with notice | May require limit-use option |
| Profiling | Opt-out available | Must limit if consumer requests |
| Secondary uses | Data minimization applies | Stricter purpose limitation |
| Notice | Privacy policy | Enhanced disclosure required |
Collecting Sensitive PI — Requirements
- Disclose at collection — Inform consumer you collect SPI
- State purposes — Explain why you collect it
- Provide limit option — Link to limit use (if using beyond permitted purposes)
- Honor requests — Stop secondary uses when consumer limits
Use Cases
| Use Case | Requires Limit Option? |
|---|---|
| SSN for employment verification | No (necessary for service) |
| Precise location for delivery | No (necessary for service) |
| Health data for targeted advertising | Yes |
| Biometrics for security access | No (security purpose) |
| Race/ethnicity for profiling | Yes |
| Financial info for payment processing | No (necessary for service) |
| Location history for behavioral ads | Yes |
CPPA Regulations — Additional Guidance
CPPA regulations clarify:
- Cannot use SPI to profile if consumer limits
- Cannot infer SPI from non-sensitive data to circumvent
- Must apply limit to downstream service providers
- Must provide confirmation of limit-use request
Practical Implementation
If you collect SPI:
- Audit data inventory — Identify all SPI categories collected
- Document purposes — Map each SPI to specific business purpose
- Assess necessity — Can you achieve purpose without SPI?
- Add “Limit Use” link — If using beyond permitted purposes
- Update service provider contracts — Include SPI restrictions
- Train employees — On SPI handling requirements