In consumer privacy protection news, the California Governor has signed into law a statute that added “neural data” to the definition of “sensitive personal information” in California’s consumer privacy protection statute. See Barron’s media report here. The new law is an amendment to existing statutes and is known as Senate Bill 1223.

What is “sensitive personal information” in California?

California’s consumer data privacy protection statute attempts to protect consumers’ personal information. Examples of “personal information” include a person’s name, email address, purchase history, browsing history, address and other location data, IP address, and more. Within the category of “personal information” is a subset of data that is designated as “sensitive data.” As noted, California has now added “neural data” as a type of “sensitive personal information.” With the addition of “neural data,” “sensitive personal information” now means the following personal information:

(A) A consumer’s social security, driver’s license, state identification card, or passport number

(B) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account

(C) A consumer’s precise geolocation

(D) A consumer’s racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership

(E) The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication

(F) A consumer’s genetic data

(G) A consumer’s neural data

Senate Bill 1223 defines “neural data” to mean “… information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”

Why distinguish between “sensitive personal information” and “personal information?”

California’s consumer data protection statutes give consumers various rights regarding their data. For example, consumers are entitled to know what categories of data are being collected and processed, what the business purpose is for the collection and processing, what data is currently being held by the business, with whom the data is sold or shared, etc. Those rights apply to all “personal information” that is collected and processed.

For the more limited category of “sensitive personal data,” the California statutes limit the uses for which businesses can collect and process such information. If a business wants to process sensitive personal information for other uses, then the business must provide a notice to consumers explaining those uses and allow consumers to opt out of allowing their sensitive personal data to be processed for those purposes. Generally, such “opt-out” choices must be permitted via a “clear and conspicuous link” on the website homepage that says something like: “Limit the Use of My Sensitive Personal Information.” “Neural data” is now on the list of data that requires a notice and an opt-out choice for non-approved business uses.

Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.