California Expands Definition of Sensitive Information to Include “Citizenship or Immigration Status”

California Expands Definition of Sensitive Information to Include Citizenship or Immigration Status

In a further sign of the increased focus on personal information that is “sensitive,” the California Consumer Privacy Act (CCPA), as amended by the  California Privacy Rights Act (CPRA), has expanded the categories of information deemed sensitive to now include “citizenship or immigration status.” Specifically, in October 2023, Governor Newsom signed Assembly Bill 947.

As we have covered previously, information determined to be sensitive due to the privacy implications if processed in certain manners and, even worse, disclosed in a breach is seeing an increased regulatory focus both stateside as well as on the international stage, such as under privacy frameworks such as the European Union’s General Data Protection Regulations (GDPR).

Businesses subject to the CCPA as amended by the CPRA will have to ensure compliance with various rights, including those relating to rights to limit the use of “sensitive personal information,” which is now defined as:

(1) Personal information that reveals:

(A) A consumer’s social security, driver’s license, state identification card, or passport number.

(B) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

(C) A consumer’s precise geolocation;

(D) A consumer’s racial or ethnic origin, citizenship or immigration status [emphasis added as per October 2023 expanded definition of “Sensitive Information”], religious or philosophical beliefs, or union membership.

(E)The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.

(F) A consumer’s genetic data.

(2)(A) The processing of biometric information for the purpose of uniquely identifying a consumer.

(B) Personal information collected and analyzed concerning a consumer’s health.

(C) Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

(3) Sensitive personal information that is “publicly available” pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive personal information or personal information.

Going Forward

Beyond considerations concerning rights to limit, businesses should also review privacy policies and related notices to ensure that they account for any required additions, such as personal information that reveals citizenship or immigration status.