CPRA added § 1798.121 establishing a new category of sensitive personal information (SPI) — Social Security numbers, precise geolocation, financial account credentials, biometric identifiers, health data, racial and ethnic origin, and a few others defined in Civil Code § 1798.140(ae) — with heightened protections. Collecting SPI without a separate privacy policy disclosure is a violation. Using SPI for profiling or cross-context behavioral advertising without offering a "Limit the Use of My Sensitive Personal Information" mechanism is a separate violation. Precise geolocation (within 1,850 feet via navigator.geolocation) is the most common SPI collected by AI-built apps that don't realize it qualifies.
Low because SPI violations require both collection and either missing disclosure or impermissible use — the combination is detectable but depends on the application's specific data flows.
Search your codebase for navigator.geolocation, SSN field names, financial account inputs, and biometric API calls to identify SPI collection points. Add a Sensitive Personal Information section to your privacy policy for each category found.
## Sensitive Personal Information (add to privacy policy per CPRA § 1798.121)
We collect the following sensitive personal information:
- Precise geolocation — used only to show nearby service locations
We use sensitive personal information solely as necessary to deliver the requested
service, as permitted under California Civil Code § 1798.121. We do not use
sensitive PI for inferring characteristics or cross-context behavioral advertising.
To limit our use of your sensitive personal information, contact: privacy@example.com
If SPI is used only for the permitted purposes listed in § 1798.121 — service delivery, security, quality control — you do not need to build a separate "Limit Use" UI, but the policy disclosure is mandatory regardless.
ID: ccpa-readiness.privacy-disclosures.sensitive-pi-notice
Severity: low
What to look for: CPRA added a new category of "sensitive personal information" (SPI) with additional protections. SPI includes: Social Security numbers, driver's license/state ID/passport numbers, financial account details (account numbers, login credentials), precise geolocation (within 1,850 feet), racial/ethnic origin, religious beliefs, union membership, biometric data for identification, health information, and sex life/sexual orientation. Search the codebase for collection of any of these data types. Check whether the privacy policy has a separate section disclosing SPI collection and stating that SPI is used only for the purposes listed in CCPA Civil Code § 1798.121 (essentially: only use SPI to deliver the service, for security, for quality control, and a few other limited purposes). Check whether a "Limit the Use of My Sensitive Personal Information" mechanism is implemented if SPI is used beyond those permitted purposes. Count all instances found and enumerate each.
Pass criteria: If sensitive PI is collected, the privacy policy separately discloses what SPI is collected and confirms it is used only for permitted purposes. If SPI is used beyond permitted purposes, a "Limit the Use of My Sensitive Personal Information" option is available to consumers. At least 1 implementation must be confirmed.
Fail criteria: Application collects SPI (e.g., precise geolocation) without a separate privacy policy disclosure. SPI is used for profiling or advertising without a "Limit Use of SPI" mechanism.
Skip (N/A) when: Application does not collect any CPRA-defined sensitive personal information. Document which SPI categories were reviewed and confirmed absent.
Detail on fail: Example: "Application requests precise geolocation (navigator.geolocation.getCurrentPosition) but privacy policy does not have a Sensitive Personal Information section and no 'Limit Use of SPI' mechanism is provided.".
Remediation: Add SPI disclosures to the privacy policy and implement a limit-use mechanism if needed:
## Sensitive Personal Information (add to privacy policy if SPI is collected)
We collect the following sensitive personal information:
- [e.g., Precise geolocation] — used only to [describe purpose, e.g., "show nearby service locations"]
We use sensitive personal information only as necessary to provide the services you request,
as permitted under California Civil Code § 1798.121. We do not use your sensitive personal
information for inferring characteristics about you or for cross-context behavioral advertising.
You have the right to limit our use of your sensitive personal information. To exercise
this right, visit [Limit SPI Use link] or contact us at privacy@example.com.
If SPI is only used for permitted purposes, you do not need to provide a "Limit Use" mechanism — but you must still disclose the SPI collection in the privacy policy.