Guide to CCPA “Limit the Use of My Sensitive Personal Information” Rights and Notices
At a Glance
- The “Limit the Use of My Sensitive Personal Information” right gives California consumers the power to restrict how businesses use and share their high-risk personal data.
- Not every business that collects sensitive personal information needs to post the link, as the requirement is triggered by purpose, not collection alone.
- The CPRA requires you to be able to demonstrate privacy compliance with this obligation, which makes audit-ready records and tamper-proof consent logs a core part of any compliance strategy.
- The “Limit the Use” right and the “Do Not Sell or Share My Personal Information” opt-out target different data and different activities, but businesses may need to honor both depending on their data practices.
Under the California Privacy Rights Act (CPRA), consumers have the right to restrict how businesses use their sensitive personal information (SPI).
Because SPI covers high-risk data categories like biometrics, precise geolocation, and financial credentials, the law treats it differently from general and less identifiable personal information and gives consumers stronger controls over it.
This guide explains what the “Limit the Use of My Sensitive Personal Information” requirement means, when it applies to your business, and what you need to do for it to be part of your privacy compliance operations.
What Does “Limit the Use of My Sensitive Personal Information” Mean?
“Limit the Use of My Sensitive Personal Information” is a consumer privacy right that lets California residents restrict how a business uses or discloses their SPI. It was introduced by the CPRA, furthering the California Consumer Privacy Act (CCPA).
When someone exercises this right, a business can only use their SPI to deliver the specific products or services requested, or for a narrow set of legally permitted purposes. These include fraud prevention, security, or physical safety.
California privacy regulations also set out specific user experience and display requirements for how businesses must convey this right.
If your business uses SPI for purposes that go beyond the narrow exceptions mentioned above, you must post a clear and conspicuous “Limit the Use of My Sensitive Personal Information” link on your homepage, typically in a header or footer.
Alternatively, you can display a combined “Your Privacy Choices” link that covers both this right and the separate “Do Not Sell or Share My Personal Information” opt-out.
Businesses subject to California privacy law may need to honor both rights, making SPI restrictions an extension of the broader consent framework that applies to personal data.
What Rights and Protections Do Consumers Have Under This Requirement?
The “Right to Limit” gives California consumers meaningful control over their sensitive data. The following protections apply.
Timely restriction of SPI use
Once a consumer submits a request to limit, the business, along with any service providers or third parties it has shared that data with, must stop using SPI for unauthorized purposes within 15 business days.
No dark patterns
Businesses can’t design interfaces to make it harder to exercise this right. The path to limiting SPI can’t be more difficult than the path to permitting broader data use. Language must be plain and free of confusing phrasing or manipulative design elements, commonly referred to as dark patterns.
No excessive verification
Unlike deletion or access requests, businesses can’t require a verifiable consumer request to process a limit request. They also can’t require account creation, ask for unnecessary information, or charge a fee. One exception applies: where a consumer uses an authorized agent to submit the request, the business may require written permission signed by the consumer before complying.
A 12-month re-ask restriction
After a consumer limits SPI use, a business must wait at least 12 months before seeking consent to use that data for those purposes again.
Nondiscrimination
Businesses can’t deny services or site access, charge higher prices, or reduce service quality because a consumer exercised this right.
“Do Not Sell or Share My Personal Information” vs “Limit the Use of My Sensitive Personal Information”
These two requirements are often confused, but they target different data and different activities. Your business may need to honor one or both depending on its practices.
“Do Not Sell or Share My Personal Information”
This applies to the broad category of personal information and is focused on outward data transfers. More specifically, limiting a business from selling data for profit or sharing it for cross-context behavioral advertising.
“Limit the Use of My Sensitive Personal Information”
This applies only to the higher-risk subset of SPI, like precise geolocation or genetic data. It’s focused on restricting how a business uses or discloses that data internally and externally, beyond what’s needed to deliver the service a consumer asked for.
| Do Not Sell or Share My Personal Information | Limit the Use of My Sensitive Personal Information | |
|---|---|---|
| Data Covered | All personal information | Only personal information categorized as sensitive |
| What It Restricts | Sale and sharing for advertising | Use and disclosure beyond essential purposes |
| When It’s Required | If the business sells or shares data | If SPI is used for non-essential purposes |
| Rules and Limits | Must respect opt-outs; can’t require account creation for verification; notification requirements | Explicit list of “essential purposes” under the CPRA; contractual requirements for third parties; requirements for data minimization, security, and retention |
Sensitive Personal Information (SPI) Under the CPRA: What Counts and What Doesn’t
SPI is a defined subset of personal information that carries heightened protection due to its potential for harm. The CPRA names specific categories, but classification is contextual: the same data point can become sensitive depending on how it’s combined or used.
Here are some examples of SPI categories and where they tend to show up.
| SPI Category | Where It Shows Up |
|---|---|
| Government IDs (SSN, passport, driver’s license) | Identity verification flows, onboarding |
| Financial credentials (account logins, card numbers, access codes) | Payment processing, account authentication |
| Precise geolocation (within 1,850-foot radius) | Location-based offers, navigation features, store visit tracking |
| Private communications (mail, email, texts) | Customer support transcripts, messaging features |
| Identity and beliefs (race, religion, union membership, immigration status) | Demographic targeting, HR systems |
| Biometric data (fingerprints, facial recognition) | Biometric login, fraud detection |
| Neural data (nervous system activity) | Emerging wearables, health tech |
| Health and orientation (health info, sex life, sexual orientation) | Wellness apps, personalization engines |
Any information that’s made publicly available from federal, state, or local government records isn’t considered personal or sensitive personal information.
Additionally, SPI that’s collected or processed without the purpose of inferring characteristics about a consumer is treated as regular personal information and isn’t subject to “Right to Limit” requirements.
When Are You Required to Provide a “Limit the Use of My Sensitive Personal Information” Link?
The CCPA/CPRA applies to for-profit organizations that do business in California and meet at least one of the following thresholds:
- Annual gross revenue over USD 25 million (adjusted periodically for the Consumer Price Index)
- Buying, selling, or sharing the data of 100,000 or more California residents or households annually
- Deriving 50 percent or more of annual revenue from selling or sharing personal information of California consumers
If your business meets one of those criteria and collects SPI, the next question is what you do with it, because not every business that collects SPI needs to provide the link.
The core trigger is purpose. Imagine your business uses or discloses SPI only for a narrow set of authorized purposes, such as delivering requested services or fraud prevention and security. If you state this clearly in your privacy policy, you’re not required to post a “Limit the Use of My Sensitive Information” link.
The requirement kicks in when SPI is used or disclosed for anything beyond those permitted purposes, such as cross-context advertising or profiling.
At that point, you must provide a clear and conspicuous “Limit the Use of My Sensitive Personal Information” link on your homepage.
California privacy law permits two alternative approaches. Rather than a standalone link, businesses can use a single “Your Privacy Choices” link that covers both the SPI limit right and the “Do Not Sell or Share” opt-out, accompanied by the required opt-out icon.
Additionally, companies that implement universal consent frameworks and process consent signals like Global Privacy Control (GPC) may also qualify for an exemption from posting the link, provided specific disclosures appear in their privacy policy.
5 Steps for Complying With the “Limit the Use of My Sensitive Information” Requirement
To comply with the CPRA’s “Limit the Use” requirement, you must have a clear picture of what SPI you collect, why you collect it, and how user choices are technically enforced across your systems. Here’s a practical framework for achieving and maintaining compliance with this particular CPRA stipulation.
1. Identify Where You Collect SPI and Classify Purposes
Start with a data inventory and map every touchpoint where SPI enters your systems, including intake forms, product analytics events, third-party SDKs, ad tech vendor tags, and CRM integrations.
For each collection point, document which data is collected, why, and by whom.
Once you have that inventory, classify each purpose and ask whether the SPI is necessary to deliver the requested service. For example, precise geolocation used for navigation is necessary. The same geolocation data fed into a behavioral advertising profile isn’t.
That distinction determines whether the “Limit the Use” right is triggered and which data flows need to be restricted when a consumer exercises that right.
2. Implement a Clear and Conspicuous Limitation Mechanism
If your SPI use goes beyond authorized purposes, you need a visible, functional mechanism for consumers to exercise their right.
As we mentioned, California privacy regulations require a “Limit the Use of My Sensitive Personal Information” link on your homepage. You can also consolidate this with your “Do Not Sell or Share” opt-out into a single “Your Privacy Choices” link, which simplifies the user experience.
A consent management platform (CMP) like Usercentrics can handle this automatically: surfacing the correct link based on the user’s location and managing granular SPI preferences so the mechanism meets the California privacy law requirements around symmetry of choice and plain language.
3. Technically Enforce the Limitation
Posting a link is the visible part of privacy compliance, but the heavier lift is making sure user choices are actually enforced downstream.
When a consumer limits SPI use, that signal needs to be transmitted across your tag management system, data pipelines, and any third-party vendors or service providers that have received that data. And you’re legally obligated to honor the restriction within 15 business days.
Your systems also need to recognize and respect universal opt-out signals like GPC. A consumer exercising their right via GPC must have their SPI restriction honored automatically, without requiring them to submit a separate request through your website.
The Usercentrics CMP can also help you do that, as it automatically passes consent signals downstream and can read and implement universal opt-out signals.
4. Update Your Privacy Policy
Your CCPA privacy policy needs to accurately reflect your SPI practices. It should:
- Disclose the categories of SPI you collect, the purposes for which each category is used, and whether any SPI is sold or shared with third parties
- Include a clear description of the consumer’s right to limit
- Explain how consumers can exercise that right, including whether you accept universal opt-out mechanisms (UOOMs) like GPC
- Confirm that you will not discriminate against consumers who choose to limit SPI use
If you rely on the authorized purposes exemption to avoid posting the link, your policy must explicitly state that SPI is only used for those permitted purposes.
5. Maintain Records and Audit Trails
The California Attorney General and California Privacy Protection Agency (CPPA), which enforce the state’s privacy laws, expect businesses to be able to demonstrate compliance.
For every limit request you receive, you need to log:
- The date and time it was submitted
- The channel through which it was made
- The response provided
- When the restriction was applied across systems
These records serve two purposes. First, they help to protect you in the event of an audit or investigation. Second, they help your team identify patterns, such as a high volume of requests in a particular product area, that may signal a need to revisit your data collection practices.
How Usercentrics Helps Operationalize CPRA Compliance
Meeting the “Limit the Use of My Sensitive Personal Information” requirement is an ongoing operational commitment that spans data discovery, consumer-facing UX, technical enforcement, and audit readiness.
Usercentrics functions as the compliance infrastructure underneath all of it.
The automated consent management solution can configure standalone or combined “Your Privacy Choices” links, automate SPI limitation signaling across tags and data pipelines, and maintain tamper-proof consent and request records designed to withstand CPPA scrutiny.
And as your digital footprint grows and regulations evolve, Usercentrics scales with you. It helps reduce manual compliance risk with a consistent, enforceable privacy foundation your team can build on.