---
title: "CPRA Sensitive Personal Information"
canonical_url: "https://www.sorena.io/artifacts/us/cpra/sensitive-personal-information"
source_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/sensitive-personal-information"
author: "Sorena AI"
description: "Handle SPI with the level of design and evidence the California rules now expect."
published_at: "2026-02-22"
updated_at: "2026-02-22"
keywords:
  - "CPRA sensitive personal information"
  - "California SPI"
  - "right to limit CPRA"
  - "SPI notice California"
  - "CPRA"
  - "Sensitive Personal Information"
  - "California privacy"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CPRA Sensitive Personal Information

Handle SPI with the level of design and evidence the California rules now expect.

*Sensitive Data* *CPRA*

## California CPRA Sensitive Personal Information

Grounded in the California statute, CPPA regulations, and the 2026 California rule changes.

SPI is one of the clearest examples of how the California regime moved beyond a generic disclosure law. Businesses now need a working model for classification, permitted use analysis, notices, and limitation workflows.

## Classify SPI correctly

The first step is to identify where California sensitive personal information appears in systems, profiles, logs, and vendor disclosures. That classification should be tied to the actual purpose for which the data is collected or used.

- Create a SPI category inventory across customer, employee, and marketing systems
- Map each SPI use to a specific purpose rather than a generic business label
- Identify where SPI is exposed to service providers, contractors, or third parties
- Review retention periods and masking or minimisation practices for each SPI category

## Permitted purposes and right to limit

If the business uses or discloses SPI only for the permitted purposes in the regulations, the right to limit may not apply in the same way. If the business goes beyond those permitted purposes, it should provide the notice of right to limit and implement the workflow.

- Test each SPI use against the permitted purpose list in the California rules
- Provide the notice of right to limit where the right is triggered
- Process requests to limit without making them burdensome
- Push limitation instructions to service providers or contractors within the required workflow

## Monitoring and assurance

SPI should appear in request metrics, contract reviews, and risk assessment decisions. It is one of the strongest signals that the business should be testing whether collection, use, and sharing remain reasonably necessary and proportionate.

- Monitor where SPI is accessed, disclosed, or reused
- Review contracts and due diligence for recipients handling SPI
- Use SPI in risk assessment trigger analysis and control prioritisation
- Retain evidence of limitation handling, notices, and remediation decisions

*Recommended next step*

*Placement: near the end of the main content before related guides*

## Use California CPRA Sensitive Personal Information as a cited research workflow

Research Copilot can take California CPRA Sensitive Personal Information from getting cited answers and faster research on this topic to a reusable workflow inside Sorena. Teams working on California CPRA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for California CPRA Sensitive Personal Information](/solutions/research-copilot.md): Start from California CPRA Sensitive Personal Information and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through California CPRA](/contact.md): Review your current process, evidence gaps, and next steps for California CPRA Sensitive Personal Information.

## Primary sources

- [CPPA regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Official California regulations hub.
- [California privacy statute effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_2026.pdf?ref=sorena.io) - Current statutory text as reflected in CPPA materials.
- [CPPA FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official California FAQ.
- [CPPA CCPA updates](https://cppa.ca.gov/ccpa_updates.html?ref=sorena.io) - Rulemaking and effective date updates.

## Related Topic Guides

- [CPPA Regulations Tracker | California Rulemaking Tracker](/artifacts/us/california-privacy-rights-act/cppa-regulations-tracker.md): Track the California rules that changed the operating baseline in 2026 and the related regulator outputs.
- [CPRA Applicability Test | California Scope and Trigger Guide](/artifacts/us/california-privacy-rights-act/applicability-test.md): Confirm California scope and then identify which CPRA specific obligations activate.
- [CPRA Checklist | California Privacy Rights Act Checklist](/artifacts/us/california-privacy-rights-act/checklist.md): Track the California privacy workstreams that changed under CPRA and the 2026 rules.
- [CPRA Compliance Program | California Operating Model](/artifacts/us/california-privacy-rights-act/compliance.md): Run a California programme that can absorb ongoing CPPA rules without constant redesign.
- [CPRA Consumer Rights Workflow | California Rights Operations](/artifacts/us/california-privacy-rights-act/consumer-rights-workflow.md): Run California rights operations across delete, correct, know, opt out, and limit.
- [CPRA Contracts, Contractors, and Service Providers](/artifacts/us/california-privacy-rights-act/contracts-contractors-and-service-providers.md): Draft California recipient contracts that support both baseline CPRA compliance and the newer assurance obligations.
- [CPRA Deadlines and Compliance Calendar | California Privacy Calendar](/artifacts/us/california-privacy-rights-act/deadlines-and-compliance-calendar.md): Use the dates that matter for the current California privacy regime.
- [CPRA FAQ | Practical California Privacy Rights Answers](/artifacts/us/california-privacy-rights-act/faq.md): Answer the California questions that stall CPRA implementation decisions.
- [CPRA Penalties and Fines | California Enforcement Exposure](/artifacts/us/california-privacy-rights-act/penalties-and-fines.md): Understand what makes California exposure larger, faster, and harder to defend.
- [CPRA Requirements | California Control Requirements](/artifacts/us/california-privacy-rights-act/requirements.md): Translate the current California regime into control statements that teams can build and test.
- [CPRA Risk Assessment Template | California Risk Assessment Guide](/artifacts/us/california-privacy-rights-act/cpra-risk-assessment-template.md): Use a California specific template that matches the current rule structure instead of a generic DPIA form.
- [CPRA Risk Assessments and Cybersecurity Audits | California Assurance Guide](/artifacts/us/california-privacy-rights-act/risk-assessments-and-cybersecurity-audits.md): Prepare for the California assurance duties that now have real structure, timing, and evidence requirements.
- [CPRA vs CCPA | What Actually Changed in California Privacy](/artifacts/us/california-privacy-rights-act/ccpa-vs-cpra.md): A practical CPRA vs CCPA delta guide grounded in the current California statute, CPPA regulations, Proposition 24, and official agency guidance.
- [CPRA vs Colorado Privacy Act | State Privacy Comparison](/artifacts/us/california-privacy-rights-act/cpra-vs-colorado-privacy-act.md): Compare the California and Colorado models before reusing a state privacy template across both.
- [CPRA vs Virginia VCDPA | State Privacy Comparison](/artifacts/us/california-privacy-rights-act/cpra-vs-virginia-vcdpa.md): Compare California and Virginia privacy models before reusing contracts or request flows across both.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-privacy-rights-act/sensitive-personal-information