Example “Limit The Use Of My Sensitive Personal Information” page 

If you are a business that needs to comply with the California Privacy Rights Act (CPRA), you may be aware of the requirement to have a page on your website titled “Limit The Use Of My Sensitive Personal Information.” This page allows residents of California to exercise their right to limit the use and disclosure of their sensitive personal information by the business. While the guidance on this page from the California Attorney General’s Office and the California Privacy Protection Agency is pretty short and simple, it is also relatively clear on what businesses must do to meet this requirement. In this article, we will discuss the CPRA’s “Limit The Use Of My Sensitive Personal Information” page requirement, including: 

1. Who the CPRA applies to; 
2. Who needs a “Limit The Use Of My Sensitive Personal Information” page; 
3. What this page should include; and 
4. The Privacy Policy requirements of the CPRA. 

If your business also needs to have a “Do Not Sell My Personal Information” page or a “Do Not Share My Personal Information” page, make sure to read our articles on the requirements of these pages as well. 

Who needs to comply with the California Privacy Rights Act 

The requirement of having a “Limit The Use of My Sensitive Personal Information” page applies to businesses that need to comply with the CPRA. While many businesses assume that they will need to comply with the CPRA if they are located in California, do business there, or collect the personal information of residents of California, this is simply not the case as additional conditions need to be met for the law to apply. 

CPRA applies to businesses that collect the personal information of residents of California, do business in California, and that meet at least one of the following criteria: 

1. Have annual gross revenue of more than $25,000,000; 
2. Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers or households; or 
3. Annually buy, sell or share the personal information of 100,000 or more California consumers or households. 

As you can see from the above, the CPRA mainly applies to large businesses. However, small businesses may be subject to the CPRA through contracts if they process personal information for a client that meets the criteria above. 

Who needs a “Limit The Use Of My Sensitive Personal Information” page

Your business will need to have a “Limit The Use Of My Sensitive Personal Information” page if you: 

1. Need to comply with the CPRA; and 
2. Use or disclose sensitive personal information for reasons other than those set forth below. 

The CPRA defines “sensitive personal information” as personal information that reveals any of the following: 

1. A consumer’s social security, driver’s license, state identification card, or passport number; 
2. A consumer’s account log-in, financial account, debit card or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; 
3. A consumer’s precise geolocation information; 
4. A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; 
5. A consumer’s genetic data; 
6. Biometric information for the purpose of uniquely identifying a consumer; 
7. Personal information concerning a consumer’s health; 
8. Personal information concerning a consumer’s sex life or sexual orientation. 

You will need a “Limit The Use of My Sensitive Personal Information” page if you use or disclose any of the information listed above for purposes other than the ones listed below: 

1. To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; 
2. To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information; 
3. To resists malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions; 
4. To ensure the physical safety of persons; 
5. For short-term, transient use, including, but not limited to, non-personalized advertising; 
6. To perform services on behalf of the business; 
7. To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by the business and to improve, upgrade or enhance such product, service or device; 
8. To collect or process sensitive personal information where the collection or processing is not for the purpose of inferring characteristics about a consumer. 

What a “Limit The Use Of My Sensitive Personal Information” page should look like 

The purpose of this page is to inform residents of California that they have the right to limit the business’s use and disclosure of their sensitive personal information and to provide them with an opportunity to exercise this right. Businesses need to provide a link to this page on their website. Clicking on that link must either: 

1. Immediately effectuate the right to limit; or 
2. Take them to a page where they can learn more about this right and exercise this right. 

If the link takes the individual to a page where the individual exercise their right to limit the use and disclosure of their sensitive personal information, that page must include the following:

1. A description of the consumer’s right to limit; and 
2. Instructions on how the consumer can exercise their right to limit. If the page is provided on a website, it must include a form where an individual can exercise this privacy right. 

An example of a “Limit The Use Of My Sensitive Personal Information” page would look something like this: 

“Please note that we may collect, use and disclose your sensitive personal information. To learn more about our collection, use and disclosure of your sensitive personal information, please read our Cookie Policy. Residents of California have the right to limit the use and disclosure of sensitive personal information. You may exercise your right to limit by submitting the form below.” This message would then be followed by a simple form where an individual can input their personal information and request to limit the use and disclosure of their sensitive personal information. 

It is important to note that the “Limit The Use Of My Sensitive Personal Information” link must be easily accessible and visible to the users of the website. The form on that page must require minimal steps and be easy to use. Lastly, businesses cannot require an individual to create an account in order to exercise their privacy rights. 

The Privacy Policy requirement 

In addition to the other Privacy Policy disclosure requirements of the CPRA, your Privacy Policy must disclose: 

1. The sensitive personal information that is to be collected; 
2. The purposes for which the sensitive personal information is to be used; 
3. Whether sensitive personal information is sold and to whom it is sold; 
4. Whether sensitive personal information is shared and with whom it is shared; 
5. How long the sensitive personal information will be retained. 

If you are using the Termageddon Privacy Policy generator and select that the CPRA applies to you, then your Privacy Policy will include the disclosures discussed above. 

As you can see from the above, the “Limit The Use Of My Sensitive Personal Information” page is not required for all businesses and can be relatively simple in terms of the contents and functionality of that page. If the CPRA applies to you, make sure to read our articles on the “Do Not Sell My Personal Information” and “Do Not Share My Personal Information” pages.