As noted in our intro alert for this series, new omnibus privacy laws are coming to Virginia and Colorado and California’s existing comprehensive privacy law has been further modified by the CPRA. Don’t wait to implement your compliance updates as it could require changes to your operations. These state privacy laws can even apply to businesses that do not have offices or employees in that state. The new laws can also reach activities conducted outside of the applicable state. See our prior alert to see if these state laws apply to your business.
California’s, Virginia’s and Colorado’s state privacy laws have broad definitions of personal information and special rules for the subcategory of sensitive personal information or sensitive personal data (for purposes of this alert, all referred to as “SPI”). In general, personal information means information that can, directly or indirectly, link or be linked to a specific individual (and in the case of California, a household). The laws also introduced the concept of “sensitive” personal information, but the states define SPI differently as noted in the chart below.
An organization needs to understand where it holds and how it uses this new subcategory of personal data because each state gives its consumers choices related to use of this data. California gives consumers the right to limit sensitive data processing. California does not have an “opt-in” model in contrast to Virginia and Colorado’s treatment of SPI. Virginia gives consumers the right to opt-in before companies can collect SPI. Virginia also requires companies to conduct risk assessments prior to processing SPI. An amendment to Virginia’s law has been proposed to carve out requirements for opt-in if the data is being using purely for marketing or other related purposes (meaning not something that could produce a legal, discriminatory decision). Colorado also gives consumers the right to opt-in before companies can collect SPI, but the definition of what “consent” means is different in Colorado and Virginia. Colorado also requires companies to conduct risk assessments prior to processing SPI. All three laws require companies to be transparent regarding their processing of SPI.
In addition to locating SPI across operations in order to better address data subject requests, companies should also appropriately secure SPI to help mitigate other compliance risks. For example, while the CDPA and CPA define SPI more closely to concepts under European law, many of the SPI data elements defined by the CPRA overlap with categories of data that can trigger California’s breach notification law. California has a private right of action if a company fails to maintain reasonable security measures to protect this data and it leads to a compromise of the data, which also opens the door to broader CPRA compliance scrutiny and liability.
Sensitive Personal Information Defined
Notwithstanding the broader definitions of personal data and SPI under these laws, certain types of information are excepted from the laws as noted below (exempted entities are separately addressed in our prior alert).
Data Exceptions to SPI
The information contained in the tables above is a condensed summary and is not exhaustive of all legal requirements, potential exceptions or variables under the referenced laws. This overview does not substitute for considering the legal requirements in their entirety or in light of facts specific to a particular organization.
Womble Bond Dickinson’s Privacy Team can help you align your data governance with the new obligations to protect sensitive information.
1 Under CPRA, “deidentified” means “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that the business using the deidentified information: (1) takes reasonable measures to ensure that the information cannot be associated with a consumer or household; (2) publicly commits to maintain and use the information in deidentified form and not attempt to reidentify the information, except the business may attempt to reidentify the information solely for the purposes of determining whether its deidentification processes satisfy the requirements of this part; and (3) contractually obligates any recipients of the information to comply with all provisions of this section.” Cal. Civ. Code § 1798.140(m).
2 Under CDPA, “deidentified” means “data that cannot reasonable be linked to an identified or identifiable natural person, or a device linked to such person.” Va. Code Ann. § 59.1-575.
3 Under CPA, “deidentified” means “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: (a) takes reasonable measures to ensure that the data cannot be associated with an individual; (b) publicly commits to maintain and use the data only in a deidentified fashion and not attempt to re-identify the data; and (c) contractually obligates any recipients of the information to comply with the requirements of this subsection (11).” Colo. Rev. Stat. Ann. § 6-1-1303(11).