CPRA compliance: How to protect PII and sensitive personal information

When the California Consumer Privacy Act (CCPA) was enacted on January 1, 2020, it gave consumers the right to control the use of their personal data. The regulation enabled consumers to discover what personal information businesses collect about them and learn how it is used, shared, and stored.

Personally identifiable information (PII) was a focal point of the CCPA. However, there was a challenge—some types of data needed extra protection. Certain data, which includes financial information and health records, pose significant risks if leaked. These risks include stigmatization, loss of employment opportunities, financial fraud, and long-term emotional and psychological impact.

An upgrade to the CCPA, called the California Privacy Rights Act (CPRA), was developed in November 2020, although many of its provisions didn't become operational until January 2023. CPRA introduced a very sensitive subject of the PII classified as Sensitive Personal Information, or SPI. The key component of CPRA mandated the structured approach to data protection, classifying and safeguarding personal information based on its sensitivity.

Let's look at what is classified as personal information and sensitive personal information before we look at how to protect them.

What is PII?

PII refers to any data that can be used to identify a specific individual. Given the sensitive nature of this information, numerous global data privacy regulations require organizations to clearly disclose whether they collect PII, whether it is shared or sold to third parties, how it is stored and protected, and the rights users have regarding their data. If this sensitive information falls into the wrong hands, it could lead to identity theft, fraud, defamation, and other serious risks.

Originally, PII focused on direct identifiers, such as:

• Full names (first and last)
• Physical addresses
• Email addresses
• Phone numbers
• Social Security numbers
• Identification (ID) and passport numbers

However, the scope of PII has expanded to include indirect identifiers—information that alone may not reveal someone's identity but can do so when combined with other data. Let's look at an example to understand this:

Imagine you have the following pieces of data:

1. IP Address: 192.0.2.1
2. Birthdate: January 18
3. Zip Code: 12345

Individually, each piece of data might not directly identify a person. For instance:

• IP Address: This tells you the network from which a person accessed the internet, but not the individual's identity.
• Birthdate: Many people share the same birthdate.
• Zip Code: Many individuals live within the same zip code.

However, when you combine these pieces of data, you significantly narrow down the potential individuals who match all three criteria:

• A person accessing the internet from a specific IP address,
• Who was born on January 18,
• And lives in the zip code 12345.

By combining this information with other available data, such as online activity or social media profiles, you can potentially identify the specific individual. This is why the scope of PII now include s indirect identifiers— to ensure all aspects of a person's identity are protected, even when only seemingly benign data is available.

Other indirect PII include:

• IP addresses
• Login credentials
• Geolocation data
• Device identifiers
• Date of birth
• Gender or sexual identity
• Biometric data (such as fingerprints or facial recognition)

PII plays a critical role in a variety of business operations, including identity verification, delivering personalized user experiences, and facilitating communication. As such, safeguarding PII is essential to protect an individual's privacy and ensure regulatory compliance. Proper PII protection is crucial for organizations handling personal data to maintain trust and avoid potential legal and financial consequences.

What is SPI?

With the introduction of SPI, the subset of PII known as Sensitive Personal Information, the CPRA granted consumers extra protection due to confidential information of this information. While SPI is not inherently more sensitive than PII in all cases, the combination of SPI with direct PII identifiers can significantly increase the risk of harm because it often reveals more specific details about an individual's sensitive characteristics or attributes. Consumers were granted the right to limit the use and disclosure of their confidential information. Let's look at an example to understand this. Imagine a scenario where only P II is expos ed:

• PII Alone: A data breach exposes someone's name (John Doe) and address (123 Main St). This information, while sensitive, might not lead to significant harm on its own.

Now, consider a scenario where SPI is combined with PII:

• SPI and PII Combined: The same data breach also exposes John's medical records (indicating a specific health condition). This combination of PII (name and address) with SPI (medical records) significantly increases the risk of harm.

Risks

• Privacy Violation: The exposure of John's medical condition alongside his name and address can lead to a serious breach of privacy.
• Discrimination: John might face discrimination or stigmatization based on the revealed health information.
• Financial Harm: Attackers might use the combined information to commit identity theft or fraud, targeting John with scams or phishing attacks.

As a result, SPI requires enhanced security measures to protect against exposure and mitigate potential damage.

Examples of SPI include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data used for identification (for example, fingerprints, facial recognition)
• Health information
• Data related to an individual’s sex life or sexual orientation
• Criminal history
• Contents of personal communications (for example, physical mail, emails, text messages)

The high level of sensitivity associated with SPI lies in its potential to cause significant harm, such as discrimination, stigmatization, or other negative consequences if exposed or misused. Given its nature, SPI requires heightened protection and careful handling to prevent misuse and safeguard individuals' privacy rights .

Under the CPRA mandates, SPI requires more stringent protections compared to regular PII. In the event of a data breach, the exposure of SPI is treated with heightened severity and incurs greater penalties. This distinction underscores the need for enhanced safeguards to protect the most sensitive forms of personal data and ensures that consumers' privacy and security are given paramount importance.

What are the differences in protection measures for SPI and PII?

Here's what to know about protecting PII and SPI.

How to protect PII

1. Data encryption: Encrypting data both in transit and at rest is crucial to prevent unauthorized access. This means that when PII is being transmitted over networks or stored in databases, it is encoded in such a way that only authorized parties can decrypt and understand it.
2. Access controls: Implementing strict access controls involves setting permissions to ensure that only authorized personnel can access PII. This typically includes assigning user roles and privileges, ensuring that individuals only have access to the data necessary for their job functions.
3. Regular audits: Conducting regular security audits and vulnerability assessments helps identify and address potential security weaknesses. These audits can uncover any unauthorized access attempts, misconfigurations, or other vulnerabilities that could put PII at risk.
4. Data minimization: Collecting only the necessary amount of PII involves gathering only the data required for a specific purpose. Additionally, anonymizing, that involves removing or altering personal information in such a way that individuals cannot be identified, directly or indirectly, protects individual identities. It is supported by pseudonymizing, that involves replacing personal identifiers with pseudonyms or artificial identifiers data where possible, and by removing or obscuring personally identifiable elements.
5. User authentication: Using strong authentication methods, like multi-factor authentication, adds an extra layer of security by requiring multiple forms of verification before granting access to systems containing PII. This reduces the risk of unauthorized access due to compromised credentials.

How to protect SPI

1. Advanced encryption: Using stronger encryption standards for SPI compared to PII ensures that even if data is intercepted, it remai ns inaccessible and unreadable to unauthorized parties. This involves employing more robust encryption algorithms and keys.
2. Enhanced access controls: Implementing more stringent access controls for SPI includes role-based access and regular access reviews. Role-based access ensures that only individuals with specific roles can access SPI, while regular reviews verify that access permissions are up-to-date and appropriate.
3. Data masking: Masking sensitive data ensures that SPI is not exposed, even during processing. This can involve techniques such as replacing sensitive information with asterisks or other symbols, or using tokenization to substitute the original data with placeholders.
4. Regular monitoring: Continuous monitoring of systems handling SPI for any suspicious activities is essential for quickly detecting and responding to potential security breaches. This involves using advanced SIEM solutions to analyze and alert on unusual behavior.
5. Incident response plan: Having a robust incident response plan specifically for SPI breaches ensures that there are predefined procedures for managing and mitigating the impact of a security incident. This includes steps for containing the breach, notifying affected individuals, and preventing future occurrences.
6. Data retention policies: Implementing strict data retention policies ensures that SPI is not kept longer than necessary. This involves defining and enforcing rules for how long SPI should be retained and securely disposing of it when it is no longer needed.