The CPRA Sensitive Personal Information Data Category - Klein Moynihan Turco LLP

The CPRA Sensitive Personal Information Data Category

As the clock ticks closer to January 1, 2023, businesses need to, among other measures, update their privacy policies to comply with the California Privacy Rights Act (“CPRA”). At the start of 2023, the CPRA will come into effect, greatly altering California’s privacy landscape. While, in many ways, the CPRA picks up where the California Consumer Privacy Act (“CPPA”) left off, the CPRA should be seen as a significant expansion of consumer privacy rights codified under the CCPA. Of special importance, the CPRA creates a new regulated category of data, referred to in the statute as “sensitive personal information.”

CPRA Sensitive Personal Information

Pursuant to the CPRA, consumers will be able to prescribe how businesses use their sensitive personal information, including prohibiting the disclosure of this information to third parties under certain circumstances.

So what exactly is CPRA sensitive personal information? “Sensitive personal information” is defined under the CPRA as personal information that consists of a consumer’s: 

  1. Government identifiers, such as Social Security Numbers and drivers license numbers; 
  2. Account log-in information (e.g., financial account or credit card numbers in combination with any required access codes or passwords);
  3. Precise geolocation information;
  4. Racial or ethnic origin, religious or philosophical beliefs, or union membership;
  5. Content of postal mail, email, and text messages, unless the business is the intended recipient of the subject communications;
  6. Genetic data; and
  7. Biometric information that uniquely identifies a consumer or information concerning a consumer’s health, sex life, or sexual orientation.

While some types of CPRA sensitive personal information are self-explanatory, “precise geolocation” information requires further elaboration. The Act defines precise geolocation information as “any data that is derived from a device, and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.” Accordingly, fitness trackers, rider share services, and other businesses that provide recommendations and/or services based on a consumer’s location must ensure that their data collection practices comply with CPRA Sensitive Personal Information requirements. 

Other Changes that differentiates the CPRA from the CCPA

The CPRA creates numerous new obligations for businesses concerning the collection, use, sale, and sharing of personal information. The CPRA law also affords consumers the right to request that a business correct any inaccurate personal information held by that business. In addition, the CPRA allows consumers to access a company’s information regarding automated decision-making technology, which may include a business’s efforts to profile a consumer’s habits, interests, or economic activity. Critically, the CPRA allows consumers to opt-out of a business’s automated decision-making technology altogether.

The CPRA also creates a new enforcement authority: the California Privacy Protection Agency (“CPPA”). The CPPA will have investigative, enforcement, and rulemaking powers. With the creation of the CPPA as a new, dedicated agency, many observers anticipate an increase in statutory enforcement. This is particularly significant because the CPRA removes the 30 day cure period that currently exists under the CCPA. This means that businesses will no longer have the opportunity to avoid liability by rectifying alleged violations after being formally notified by California’s Attorney General.

Again, please note that the CPRA will become operative on January 1, 2023, and apply to consumer information collected on or after January 1, 2022. Accordingly, businesses need to work quickly to ensure that their privacy policies and practices comply with new requirements set out by the CPRA. 

If you need assistance preparing for the CPRA, please email us at, or call us at (212) 246-0900 for regulatory compliance assistance.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Photo by LinkedIn Sales Solutions on Unsplash

Similar Blog Posts:

California’s Data Privacy Agency CPRA Rulemaking

How Does the Colorado Privacy Law Compare to the CCPA?

California Attorney General Announces New CCPA Changes


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Trending Topics

TCPA vicarious tcpa law woman holding cellphone telemarketing laws

TCPA Vicarious Liability

An Illinois federal district court judge recently held that State Farm Mutual Automobile Insurance Company (“State Farm”) may be vicariously liable for alleged Telephone Consumer

Read More »