Privacy Policy Clause: Notice of the Right to Limit the Use of Sensitive Personal Information
(CCPA/CPRA)

This clause provides consumers with notice of their right to limit the use of their sensitive personal information as required by the California Consumer Privacy Act of 2018 (CCPA), as amended and expanded by the California Privacy Rights Act of 2020 (CPRA) and associated regulations. This clause includes practical guidance and drafting notes. If the business uses or discloses sensitive personal information for purposes other than those necessary to provide products or services, as specified in 11 CCR 7027(m), it must provide notice to the consumer that they have the right to limit the use of their sensitive personal information with a "Limit the Use of My Sensitive Personal Information" link on its homepage. Cal. Civ. Code § 1798.121; 11 CCR 7014. The business can also use an alternative opt-out link titled "Your California Privacy Choices" that provides both the ability to opt out of sale and sharing and limit the use of sensitive personal information. 11 CCR 7015. Clicking on either link should immediately effectuate the consumer's choice, take the consumer to a Notice of Right to Limit on an internet web page, or take the consumer directly to the specific section of the business's privacy policy that contains the same information. 11 CCR 7014(e)(1). If clicking on the "Limit the Use of My Sensitive Personal Information" link immediately effectuates the consumer's right to limit, the business must provide the notice within its privacy policy. 11 CCR 7014(e)(1). A business does not need to provide a Notice of Right to Limit or the "Limit the Use of My Sensitive Personal Information" link if: • It only uses and discloses sensitive personal information for the purposes necessary to provide products or services, and states so in its privacy policy, –or– • It only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer, and states so in its privacy policy. 11 CCR 7014(g). Format and Accessibility Like the other required consumer disclosures, the Notice of Right to Limit must be : • Easy to read and understandable (use plain, straightforward language and avoid technical or legal jargon) • Readable on smaller screens • Available in the languages in which the business ordinarily communicates with customers • Reasonably accessible to consumers with disabilities (for notices provided online, follow generally recognized industry standards) 11 CCR 7003(a) and (b); 11 CCR 7014(b). The "Limit the Use of My Sensitive Personal Information" link must be a conspicuous link that: • For websites, is located at either the header or footer of the business's internet homepage(s) and appears in a similar manner as other links used by the business on its homepage(s) (e.g., approximate font size and color) • For mobile applications, is included in the business's privacy policy, which must be accessible through the mobile application's platform page or download page or through a link within the application, such as through the application's settings menu 11 CCR 7014(c), 7003(c) and (d). A business that does not operate a website must establish, document, and comply with another method by which it informs consumers of their right to limit. 11 CCR 7014(e)(2). That method must comply with the requirements set forth in 11 CCR 7003. 11 CCR 7014(e)(2). Required Information A business must include the following in its Notice of Right to Limit: • A description of the consumer's right to limit –and– • Instructions on how the consumer can submit a request to limit 11 CCR 7014(f). If notice is provided online, the notice must include the interactive form by which the consumer can submit their request to limit online, as required by 11 CCR 7027(b)(1). If the business does not operate a website, the notice must explain the offline method by which the consumer can submit their request to limit. 11 CCR 7014(f). For a full listing of related California consumer privacy content, see California Consumer Privacy Resource Kit (CCPA and CPRA). For a full California privacy policy. See Privacy Policy (CCPA/CPRA). For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy.