Privacy Points 2023: Different Sensitive Personal Information Rights & Requirements Emerge in New US State Data Protection Laws | Chicago Popular


As 2023 dawned, both California and Virginia had new data protection laws enacted. Soon, Connecticut, Colorado and Utah will join their ranks as the US is rapidly filling the void left from a lack federal and congressional action on omnibus data protection reform.

To view our previous commentary on the effective dates and scope of US state data protection laws, see here.

While each state’s data protection law undoubtedly has substantial differences, such as the rights they grant to individuals residing in their respective states, they all have one point of overlap: the introduction of “sensitive personal information” into states’ data protection regimes. United.

Each state’s data protection law places increased requirements on the collection and processing of sensitive personal information, while also granting, in some form, the right of individuals to grant them greater control over the collection and processing of their personal information sensitive by companies.

For specific information about the categories of information each state considers “sensitive” and the rights they grant to individuals, see below.

What constitutes sensitive personal information?

While each provides slightly different specific definitions, “sensitive personal information” can generally be understood as information that, if breached by an unauthorized third party or misused, would cause or could cause significant harm to the individual.

  • Sensitive identifiers: social security numbers, driver’s licenses, state/government ID cards, passport numbers
  • Financial data: Account login, financial account number, debit or credit card number in combination with any security or login code, password or credentials required to allow access to an account
  • Location data: Precise geolocation
    • California (within 1,850 feet or less), Connecticut (within 1,750 or less), Utah (within 1,750 or less), Virginia (within 1,750 or less)
  • Demographic information: Race, ethnicity, religious/philosophical beliefs, sexual orientation
    • California, Connecticut, Colorado, Utah, Virginia
  • Job data: Union membership
  • Private communications: Mail, email and text message content
    • California (unless the business is the intended recipient)
  • Medical data: Genetic, biometric and health data
    • California, Connecticut, Colorado, Utah, Virginia
  • Immigration information: Citizenship or citizen/immigration status
    • Connecticut, Colorado, Utah, Virginia
  • Data on children: Personal data of children (under 13)
    • Colorado, Connecticut, Utah, Virginia

As shown above, there is a large overlap between states in what is considered “sensitive” and which grants higher protections or greater entitlement, such as demographic information, biometrics, health data, precise geolocation, etc. However, there are also important nuances.

For example, only California covers the state of union membership and private communications that the business was not an intended recipient as “sensitive personal information.” Additionally, California also includes large amounts of financial information (e.g., credit or debit card numbers) when collected in conjunction with login codes, passwords, or credentials that would allow access to funds and/or accounts.

The other four states – Connecticut, Colorado, Utah and Virginia – have essentially identical definitions. The difference between California and the other four states exemplifies the different approach taken by legal regimes.

California (i) implemented its data protection law in tandem with an amended data breach notification law; and (ii) has included employee data within the scope of data protection requirements. Therefore, the definition of “sensitive personal information” in California largely matches the definition of personal information defined by most US breach notification laws (for example, sensitive identifiers, financial data) and includes categories relating to employees (e.g. trade union membership) .

The other four states largely followed a European model (largely reflected in the EU’s General Data Protection Regulation), which is exemplified by states’ inclusion of immigration information and children’s personal data in the context of “sensitive personal information”.

It is important to note that while California does not include children’s personal information in the definition, California requires prior consent for the sharing or sale of children’s personal information (for children under 16).

In terms of health data, it’s also important to note that the data protection laws of all five states also include some form of exemption if a business is covered and required to comply with HIPAA.

In practice, a business that falls, or may soon fall, under all or most of the five state data protection laws should develop a sensitive personal information compliance program that covers everyone the aforementioned categories of sensitive personal data. Additionally, companies that rely on the collection and processing of sensitive personal information will need to analyze how new data protection laws and related data subject rights discussed below will affect their business model.

What rights are granted to sensitive personal information?

While the definitions of sensitive personal information in each state generally overlap, states differ on how companies can collect sensitive personal information.

In summary, Colorado, Connecticut and Virginia require explicit and prior consent; while California grants individuals the right to limit the use of their sensitive personal information. Utah falls somewhere in the middle and grants people the right to completely opt out of the use of their sensitive personal information.

  • California Right to Restrict Use of Sensitive Personal Information

California grants individuals the right to limit the use of their confidential personal information to only what is necessary. In essence, California law boils down to a limited right to opt out, meaning that an individual can only opt out of uses that are outside his or her reasonable expectations.

Specifically, within 15 days of receiving a request to restrict the use of sensitive personal information, a business must cease using and disclosing that information for of course the following purposes: (i) to perform services or provide reasonably expected products; (ii) detect security incidents and protect the information transmitted; (iii) to defend the legal rights of companies and advance legitimate claims; (iv) ensure the safety of others; (v) short-term transient use, provided that the information is not used and disclosed to third parties for the purpose of creating a profile; and (vi) maintain the quality or safety of the services and products.

The first exception is exemplary of California’s limited opt-out approach. If an employee exercises the right to restrict the use of their sensitive personal information, this does not prevent an employer’s business from disclosing and/or using such sensitive information to provide employee benefits as such is reasonably contemplated in the relationship employee-employer.

Under the California draft regulation, companies are also responsible for the information of any third parties or service providers that have access to or are processing the sensitive personal information of the restriction request.

  • Connecticut, Colorado, Virginia Participation Requirements

Connecticut, Colorado and Virginia take a simpler approach, albeit a more onerous approach for a company that collects and uses sensitive personal data.

These three states prohibit the collection and processing of sensitive personal information unless the company first obtains that individual’s consent. This is in contrast to California and Utah opt-out rights which initially permit the collection and use of sensitive personal information and are based on the traditional “advise and choice” regime that laid the foundations of the privacy law of the United States.

Connecticut, Colorado and Virginia, on the other hand, approach a European-style privacy regulation by requiring affirmative consent.

  • Utah Right to Opt Out of Use of Sensitive Personal Information

Utah is located between California and the other states. Utah data protection law gives individuals the right to completely opt out of the use of their sensitive personal information.

In particular, before processing an individual’s sensitive personal information, a business must present the individual with (i) clear notice; and (ii) the option to opt out of the processing of your sensitive personal data.

In practice, this means creating a privacy policy or notice that clearly states the sensitive personal information the company collects and the specific purposes for which it is used. In tandem with this notice, there will be a need for an easy-to-use mechanism for the user to opt out, possibly in the form of a linked form or configuration for businesses that do business online.

Considerations Moving forward

If your business collects and/or uses sensitive personal information, a thorough review of how that information is used will be required if your business falls within the scope of one of the five state data protection laws in the United States.

In addition, privacy policies and procedures will need to be expanded to adequately provide clear notice to individuals to meet the transparency requirements of various state laws and to meet the necessary opt-in or opt-out consent requirements.


What do you think?

Written by Natalia Chi

Chicago Popular; Chicago breaking news, weather and live video. Covering local politics, health, traffic and sports for Chicago, the suburbs and northwest Indiana.

Leave a Reply

Global Industrial Heat Pumps Market to Grow by $666.06 Million During 2023-2027 –

Reclaiming the narrative of the Tulsa Race Massacre through ‘restorative justice archeology’