Since the California Consumer Privacy Act came into effect, it has enhanced privacy rights. The first lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, and it centered on the consumer rights of an individual.
Central to this was a definition of personal data. This was classed as data that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household. Included in this is data likely to be seen as ‘sensitive’, and this has proved a more tricky area to define. As to what is meant by sensitive data, this could include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and genetic data.
Under the European GDPR, sensitive data is more clearly spelt out. An expert explains to Digital Journal that the understanding of ‘sensitive data’ is slowly being embedded into business practices.
The California Consumer Privacy Act is a bill designed to enhance privacy rights and consumer protection for residents of California, U.S. This means all businesses located within the state and all businesses that carry out transactions with the state. The bill was passed by the California State Legislature on June 28, 2018. This amended Part 4 of Division 3 of the California Civil Code. In 2020, the requirements came fully into effect.
In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which amended and expanded the CCPA.
Despite some initial confusion from companies and consumers, the legislation appears to becoming part and parcel of everyday commerce and with the workings of government agencies. Sergio Rotman, who is a certified compliance officer and PM, Privacy and Risk at Collibra, the data intelligence company, explains to Digital Journal why the legislation remains important: “The CPRA sought to strengthen and clarify aspects of the CCPA. The CPRA creates a dedicated enforcement arm, the California Privacy Protection Agency, that would potentially increase the scrutiny of compliance practices among businesses that handle personal information of California consumes.”
The CPRA also defines different types of data, especially personal data. With the more vague ‘sensitive data’, Rotman states there is now a legal precedent for this, and he summarizes what companies now need to consider as: “This means that “companies will want to update their privacy policies and how personal information is handled and disclosed under the CCPA.”
