Complying with the California Consumer Privacy Act can feel like assembling a tedious jigsaw puzzle. The pieces have irregular shapes, they don't fit neatly together and worse yet, you ran out of pieces and there are large gaping holes.
When it comes to processing sensitive personal information, the least risky approach is also the simplest: don't do it. Yet all organizations process some SPI — at least employee data — and must contend with putting the pieces of CCPA compliance together and opt-in and opt-out rights into action.
The importance of laying out the puzzle continues to mount as the definition of SPI expands. Starting 1 Jan. 2025, it will include "brain data" or "neural data." With the introduction of new technologies powered by artificial intelligence, the amount of SPI collected by businesses and inferences made based on that data is increasing exponentially.
The mosaic and benefits of opting in to maximize how data can be used
Unlike numerous global privacy laws, the CCPA does not have default opt-in consent requirements. Instead, it has an opt-out model. Although not required by the CCPA in most cases, obtaining opt-in consent can permit additional data processing activities and mitigate other risks like claims under the California Invasion of Privacy Act. The CCPA opt-in requirements are not specific to SPI and apply to personal information, including SPI, broadly.
As we try to form the CCPA puzzle, we find the reasons for needing opt-in consent under its data minimization principle and the reasons for needing to offer a right to limit use and disclosures of SPI are similar. A lack of necessity to process data can trigger both the opt-in requirement under the CCPA data minimization principle and the opt-out requirement specific to SPI.
Pursuant to the CCPA's data minimization principle, the collection, use, retention and sharing of personal information — sensitive or not — must be "reasonably necessary and proportionate" for a purpose compatible with the collection context. Notably, pursuant to California Civil Code 1798.100, the CCPA permits processing without obtaining opt-in consent for both processing that is reasonably necessary and proportionate to achieve a purpose for which the personal information was collected or processed consistent with the original intent or a different but still notified purpose that is compatible with the context in which the personal information was collected.
Whether a notified purpose is compatible with the collection context is based on factors enumerated in the CCPA regulations in Section 7002. Under this standard, a detailed privacy notice alone should permit most processing activities. No consent is needed.
If an intended processing purpose is not compatible with the collection context, but is reasonably necessary and proportionate for a purpose stated in the notice, the business may still process the data, but it must first obtain the consumer's opt-in consent. The idea seems to be that businesses should not bury a "surprising" purpose in a privacy notice and rely on notice alone.
If a business wants to process personal information for a purpose incompatible with the collection context, which some might view as a surprising purpose, consent is required. Consent alone cannot overcome the restriction that the processing activity must be necessary and proportionate for the notified purpose, but the consent element should reduce the risk of consumers being surprised to find their personal information is processed for purposes they did not expect based on the collection context.
Obtaining opt-in consent would expand the permissible processing a bit further as even surprising processing activities should be permissible with consent. Under the CCPA, consent is defined similarly as under the EU General Data Protection Regulation: It must be freely given, specific, informed and an unambiguous indication of the users' agreement. An example of consent is often evidenced by a click-wrap agreement such as checking an unchecked box after being presented with a privacy notice.
An opt-in model allows businesses to process personal information, including SPI, as extensively as the CCPA permits. The CCPA does not grant consumers a right to withdraw the consent granted to permit a business to maximize its permissible processing of personal information, although this is contemplated in the July 2024 draft updates to the CCPA regulations. Opt-out rights may separately apply.
Building the puzzle from the outside in: Opt out from certain inferences
When it comes to SPI processing, pursuant to California Civil Code 1798.121, a consumer has the right to opt out if the business uses SPI to infer characteristics and cannot identify a permissible purpose to process the SPI without offering opt outs.
The broadest purpose available is that the processing of the SPI is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods and services. Just as under the data minimization principle, the permissibility of the processing rests on necessity. And the requirement that the necessity is tied to the reasonable expectations of the consumer is similar to the requirement that the processing purpose is compatible with the collection context.
The CCPA defines an inference as the "derivation of information, data, assumption, or conclusions from facts, evidence, or another source of information or data." In its opinion interpreting inferences, the Office of the California Attorney General explains inferences could include "a characteristic deduced about a consumer (such as 'married,' 'homeowner,' 'online shopper' or 'likely voter') that is based on other information a business has collected (such as online transactions, social network posts, or public records)." If a business infers a consumer is a likely voter because of their union membership, that could be an example of an inference made based on SPI.
Unless a business can show the inference was within one of the enumerated purposes for SPI, it is required to provide the consumer an opportunity to optout to limit the use of the union membership information. Businesses can post a "Limit the Use of My Sensitive Personal Information" link or one of the alternative opt-out links, "Your Privacy Choices" or "Your California Privacy Choices," with a required blue and white opt-out icon.
Once a consumer directs a business to limit its use and disclosure of the consumer's SPI, the business is prohibited from using or disclosing the information beyond the permissible purposes enumerated in the CCPA unless the consumer subsequently provides consent for additional purposes. A business must wait at least 12 months from the date a consumer opts out before asking the consumer to consent to the use or disclosure of their SPI for additional purposes.
You can put the puzzle together without glue
Opt-in and opt-out requirements can both apply to SPI under the CCPA. In most cases, a business does not use SPI to infer characteristics and therefore does not need to provide a right to opt out. Such a business only needs to consider whether opt-in consent is required under the data minimization principle. But when inferences are made, businesses should analyze if they need to obtain opt-in consent and offer opt-out options.
If the processing purpose is not compatible with the collection context, then the business is required to obtain opt-in consent. And opt-out requirements may also be needed if "unnecessary" inferences are made during the processing of SPI.
Given the increasingly prescriptive requirements applicable to SPI, and the practical challenges associated with operationalizing opt ins and opt outs, it is most protective for businesses to avoid making inferences based on such information and only process personal information, including SPI, for purposes compatible with the collection context and not for any surprising purposes. That way, a business only needs to provide notice and would not need to operationalize opt ins or opt outs. At all times, processing must be limited to what is reasonably necessary and proportionate for a notified purpose. No notice or consent can overcome that restriction expressed in the CCPA data minimization principle.
As long as processing of SPI is necessary to provide something the consumer has requested, neither opt-in nor opt-out requirements should be triggered. The many small pieces of the CCPA can come together into a beautiful mosaic.
To ensure CCPA compliance, businesses should map data to classify SPI, determine if inferences based on SPI are being made, and assess if opt-in or opt-out rights are triggered.
Helena Engfeldt, CIPP/E, CIPP/US, and Justine Phillips are partners at Baker McKenzie.
