Co-Hosted by: California Lawyers Association Privacy Law Section and the Future of Privacy Forum

Session 2: Sensitive Data: Health Conditions, Demographics, and Inferences

Join us on Friday, February 25th, from 12:00-1:15PM Pacific Time, for an exploration of what makes certain kinds of consumer data “sensitive” – and how to identify such data and think about new regulations that limit its collection and use.

This session will begin with a brief presentation on the definitions of “sensitive data” under existing legal regimes (CPRA, VCDPA, and CPA), with a specific discussion of the legal parameters of non-HIPAA and non-CMIA consumer health data.

As an example of sensitive data, we will explore real-world examples of how consumer health information is collected and used in different commercial settings, from a technical and business perspective, including:

• Consumer services that directly collect and use high-risk or clearly sensitive data that is not covered by HIPAA or other sectoral privacy laws (for example, direct-to-consumer blood sample analysis);
• Mobile app data involving fitness, wellness, or wearable device information (such as steps and heart rate) that may be considered sensitive or not, depending on the context and uses;
• Information that may appear sensitive on its face, but may not be used for the purposes of inferring sensitive information (such as the URL of a website, name of an app, or search engine query in the context of providing basic functionality or services); as well as the opposite: information that may appear non-sensitive on its face (such as a person’s shopping habits) that may nonetheless, over time or in combination with other information, lead to sensitive inferences.

In this session, we’ll be joined by guest experts:

Robert D. Tookoian, Of Counsel, Fennemore Craig, PC
Kate Black, Partner, Hintze Law
Charlyn L. Ho, Partner, Perkins Coie