2. Strenghtened protection for Sensitive Data

Posted on by Labor Project

An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS*
*CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)

Result of comparison ADPPA California Privacy laws CCPA/CPRA
The protection provided by ADPPA is higher than the one set out by California privacy laws.
This because ADPPA restrictions apply in all circumstances (not just for inferring characteristics about a consumer). Furthermore, third party transfers and the use of consumer’s browsing history for secondary purposes requires a specific opt-in/consent.
Unlike the CCPA, ADPPA does not allow additional uses with notice and choice.
  • The above mentioned data minimization principle has an even stricter application for sensitive data.
  • The term sensitive data covers a wider range of data categories, such as health data, biometric genetic data and sexual orientation. Also government issued identifiers, financial account numbers, geolocation, private communication, log in credentials, calendar information, address book information, private photos/videos are included in such definition.
  • Race, ethnic origin, religion, or union membership are not considered as Sensitive Data.
  • Processing of sensitive covered data is only permitted if strictly necessary for providing a specific product or service requested by the individual or other permitted purposes (e.g. comply with legal obligations, user authentication, security and fraud prevention, public interest research).
  • A strengthened protection of sensitive data is required only when its purpose of processing consists of “inferring characteristics about a consumer.” In such case, companies may avoid to seek for consent if the processing is necessary for providing a service, for security purposes, for non-customized adversting, internal operations and quality assurance (other exceptions could be implemented by the legislator).
  • In some cases, companies just need to inform consumers with a notice and provide them with an opt-out mechanism.
  • Sensitive personal information includes, inter alia, race, religion, or union membership; communications content; and sexual behavior informations, govt. identifiers; health and financial informations, biometric and genetic data; login credentials; location.