CPRA Sensitive Personal Information: Compliance Guide

You may think you’re only collecting basic customer data- email addresses, names, maybe phone numbers. But, under the CPRA, certain types of information are no longer just “personal.” They’re sensitive. And that distinction? It changes everything.

CPRA Sensitive personal information (SPI) comes with stricter rules, higher risks, and added responsibilities. This guide helps you understand what qualifies as SPI, how it’s different from regular personal data, and what your business needs to do to stay compliant and trusted.

This section takes a closer look at SPI under the California Privacy Rights Act.

CPRA’s definition of sensitive information and its key characteristics

Under the CPRA, an amendment to the California Consumer Privacy Act (CCPA), sensitive personal information refers to data that goes beyond a name or email. It includes highly private details that, if mishandled, can cause significant harm to individuals.

Here’s what qualifies as CPRA sensitive personal information:

• Government identifiers (e.g., Social Security Number)
  
• Account log-in credentials
  
• Financial account or Debit/credit card number along with access credentials
  
• Precise geolocation
  
• Consumer’s genetic data
  
• Biometric information used for identification
  
• Consumer’s health or sex life
  
• Religious beliefs
  
• Philosophical beliefs
  
• Ethnic origin, immigration status, or union membership
  
• Contents of a consumer’s communication (e.g., emails or text messages)
  

Essentially, if your business collects or infers anything deeply personal, CPRA now holds you to a higher standard.

Personally identifiable information/personal information (PI) includes identifiers like name, email, or IP address, which is enough to track a user, but not always sensitive.

Sensitive personal information (SPI), however, is more delicate. Think of it this way: if PI is your business card, SPI is your diary.

#1 Data protection requirements

If you collect SPI, CPRA requires that you:

• Minimise its use and disclosure strictly to what’s necessary
  
• Offer consumers the right to limit the use of their sensitive personal information to what is necessary to fulfil a required service
  
• Provide clear disclosures/ privacy policy by linking it to your homepage
  
• Respond to consumer requests efficiently
  

#2 Consumer rights under CPRA

California residents now enjoy a suite of CPRA rights, including:

• The right to know what data is collected
  
• The right to limit the use and disclosure of sensitive data
  
• The right to delete
  
• The right to correct
  

You’re also responsible for honouring a preference signal, like the Global Privacy Control (GPC).

#1 Conduct a data mapping exercise

Identify what SPI your business collects, where it’s stored, and how it’s used. This includes everything from credit card information to the consumer’s precise geolocation.

#2 Update your privacy policy

Your privacy notice, also called privacy policy, should include the following, among others:

• Categories of personal information and SPI that you collect
  
• The business uses for each category
  
• Whether data is sold or shared with service providers
  
• How consumers can submit consumer requests
  

#3 Implement “Limit the use of my sensitive personal information link “

Enable users to control their CPRA sensitive personal information directly from your homepage. This can be achieved through a simple link or a user-friendly toggle, allowing for easy management of their privacy settings.

#4 Establish a robust response process

Whether it’s a request to delete data or an inquiry about inferences, account log-in, or geolocation data, businesses must respond within the timeframe.

The law prescribes 45 days as the response period, which can be extended to 90 days under specific circumstances. 

#5 Train your team

Is your marketing team sending text messages based on inferences from sensitive information, or your dev team logging biometric data? Everyone needs to know what’s at stake. Training is essential to prevent data breaches, especially involving SPI.

#6 Implement security controls and conduct Impact Assessments (DPIA)

Fortify your cybersecurity by implementing security controls and assessing the impact beforehand through regular DPIAs. This is a best-practice approach to evaluate risks and demonstrate accountability, especially if regulators investigate data breaches or unauthorised sharing.

Though today’s technologies redefine convenience, they are often data-hungry, raising the stakes for CPRA compliance. Here’s how these tools are shaping privacy obligations under the law.

Facial recognition and computer vision

What it does

These technologies identify individuals based on biometric information such as facial features, used in authentication (e.g., unlocking phones) or surveillance (e.g., in stores or public spaces).

Risk under CPRA

The data qualifies as sensitive personal information. If facial recognition is used for marketing, behaviour analysis, etc, businesses must disclose this and allow consumers to limit the use of their SPI.

Wearable devices and health tech

What it does

Devices like fitness trackers and smartwatches collect real-time health data, including heart rate, sleep patterns, activity levels, and sometimes emotional state.

Risk under CPRA

This is classified as SPI related to the consumer’s health. If a business uses this for insurance, marketing, or profiling, it must provide consumers a clear opt-out and ensure data security to prevent data breaches.

Behavioural analytics and user tracking tools

What it does

Tools like heatmaps, session replays, and mouse tracking collect data about how users interact with websites or apps.

Risk under CPRA

These tools can record account log-in behaviour, text inputs, or contents of a consumer’s communication, potentially qualifying as SPI. Businesses need to disclose this in their privacy policies and honour preference signals.

Smart home devices

Devices like smart TVs, thermostats, and security systems often collect ambient data, including conversations, movement, and geolocation data.

Risk under CPRA

These devices may capture audio, video, or even inferences about household composition, behaviour, or religious beliefs based on usage patterns. All of these could be considered SPI, requiring transparent consent management and usage disclosures.

Automated decision-making and AI-based profiling

What it does

AI algorithms profile users for targeted ads, credit risk assessment, or fraud detection by analysing data like financial account activity, geolocation, shopping habits, or ethnic origin.

Risk under CPRA

These inferences can affect significant decisions. Businesses must disclose such information and allow users to limit SPI usage.

Augmented reality (AR) and virtual reality (VR)

What it does: AR/VR experiences can collect biometric information, eye movement, body language, and voice input to enhance interaction.

Risk under CPRA: These immersive experiences can blur the lines of consent and data boundaries. Businesses using AR/VR must clearly define what category of personal information they collect and ensure CPRA compliance, especially when tracking sensitive personal data in real time.

Connected vehicles and telematics

What it does

Modern vehicles track precise geolocation, driver behaviour, speed, and even passenger data.

Risk under CPRA

This data is often shared with insurers or marketers. Precise geolocation is SPI under CPRA, requiring disclosure and control mechanisms for California residents.

Chatbots and NLP interfaces

What it does

Customer service bots and AI chat interfaces process text messages, email content, and account-related queries.

Risk under CPRA

These may inadvertently process the contents of a consumer’s communication or collect identifiers like passport numbers or driver’s license numbers. Ensure consent flows and limit data retention.

With new CPRA amendments, stronger rulemaking, and expanding consumer rights, handling SPI requires more than a patchwork of policies. It demands strategic thinking, airtight data security, and user-first experiences.

Non-compliance isn’t just a fine. It’s a headline waiting to happen. Mishandling a Social Security number, a consumer’s health record, or a consumer’s consent can erode brand trust instantly. Start by mapping your data. Update your privacy notice. Empower users with SPI limit controls.

CPRA, like the General Data Protection Regulation (GDPR) in the EU, raises the bar for data privacy. Your job isn’t just to meet the requirements. It’s to build systems that earn trust — and keep it.