Personal vs. Sensitive Personal Information

Sensitive personal information is a legal category of personal information that must be stored and handled in specific ways under laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) due to the vulnerable nature of the data.

While the legal definition of personal information changes under different privacy laws, it refers to any data that can directly or indirectly identify an individual or household.

Sensitive information, however, can be used to determine things like a person’s opinions, personal preferences, or additional susceptible details that could lead to fraud, identity theft, or other harm if the data is leaked, breached, or compromised in some way.

This comprehensive guide will help you understand the subtle difference between personal and sensitive information and outline how to handle this type of data collection under each of the different data privacy laws that may impact your business.

Definition of Sensitive Personal Information

Sensitive personal information, sometimes called SPI, is data that is subject to strict protection guidelines under laws like the GDPR and the CPRA and includes very intimate details about your users, like their:

• Political affiliations
• Religious beliefs
• Philosophical beliefs
• Race or ethnicity
• Sexual orientation
• Health data
• Biometric data
• Criminal history
• Credit or financial data
• Trade union and membership information
• Personal identification (ID) numbers — license, social security, state ID cards, passports

Lawmakers around the globe set stricter guidelines for collecting, using, and securely storing this type of information about your users because of the vulnerable nature of the data.

If SPI is ever compromised or breached, it could cause permanent harm to the individual’s quality of life or impact their ability to perform daily activities, so it’s essential to follow all relevant legal guidelines if you deal with sensitive user data.

The Differences Between Personal vs. Sensitive Information

The differences between personal and sensitive information are subtle, but technically, SPI is a distinct category of personal data that you must treat, store, and handle differently based on privacy laws like the GDPR and the CPRA.

We already mentioned that the legal definition of personal information changes depending on the privacy law, but it typically refers to any data that can be used to directly or indirectly identify a person or household.

In other words, the data, either on its own or in tandem with additionally collected information, can be used to pinpoint an individual.

Personal information can be any of the following details:

• Names
• Email addresses
• Mailing addresses
• IP addresses
• Phone numbers
• Dates of birth
• ZIP codes
• Sensitive information

Sensitive personal data examples include:

• A person’s beliefs
• Medical and genetic data
• Criminal histories
• Opinions
• Sexual identity
• Race
• Other more intimate details

So, by its nature, SPI is more vulnerable than other personal identifiers.

If sensitive data is breached or compromised, it could lead to discrimination, harassment, identity theft, or impact the quality of the person’s daily life in other harmful ways.

Therefore, different data privacy laws around the world dictate how businesses can legally collect, store, and use such delicate information and grant users more rights over that data.

Types and Examples of Sensitive Personal Information

Data privacy laws around the globe don’t all agree on what counts as sensitive data, so for your convenience, we’ve outlined what is and what is not an example of sensitive information based on some of the most relevant pieces of legislation, like the:

What Is Considered Sensitive Personal Information?

Take a look at the table below to see a list of examples of sensitive personal data and the relevant privacy laws that include it in their legal definition of SPI.

The table above is a good place to start, but it’s by no means exhaustive; many other data privacy laws around the world impact how businesses collect, store, and process personal data and SPI.

It’s also important to note that, in some cases, the information mentioned above only legally qualifies as sensitive data if it’s in tandem with other personal details, like a person’s full name or the relevant information to provide login access to someone’s account.

What Is Not Considered Sensitive Personal Information?

Depending on what privacy law you fall under, publicly available information, data that users consented to have tracked, and information that is of public concern are usually not considered sensitive information.

For example, the following details don’t qualify as sensitive data under the CPRA:

• Publicly available information from federal, state, or local government records
• Lawfully obtained, truthful information that is a matter of public concern
• Information a business has a reasonable basis to believe is made lawfully available to the general public by the consumer or by widely distributed media
• Information made available by a person to whom the consumer has disclosed the data if the consumer has not restricted that information to a specific audience

On the other hand, the text of the GDPR clarifies that it always considers certain types of data to be SPI, but grants six specific instances when those categories are allowed to be processed by a data controller, which includes the following:

1. Getting explicit consent from data subjects before any tracking begins
2. Performing contractual obligations
3. Legal obligations for compliance with the law
4. To carry out vital interests and protect or save someone’s life
5. For the legitimate interest of the data controller
6. For carrying out essential tasks in the public interest

As you can see by comparing the GDPR to the CPRA above, the nuances of data privacy laws are subtle but important to understand, especially when collecting sensitive information.

What is considered SPI under one law might not be an example of sensitive information under another and vice versa.

How Privacy Laws Address Sensitive Information

In the next section, we look at the technical definition of sensitive personal information according to all of the following laws and provide you with guidelines for remaining in compliance with each one:

• General Data Protection Regulation (GDPR)
• California Consumer Protection Act (CCPA)
• California Privacy Rights Act (CPRA)
• California Online Privacy Protection Act (CalOPPA)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Additional laws from around the world

GDPR Definition of Sensitive Information

According to the GDPR, sensitive information is a special category of personal data, and to legally collect and use it, you need to prove a lawful basis for processing this type of information.

In the screenshot below, see the legal definition of sensitive personal information according to Article 9 of the law:

Under the GDPR, all of the following details are considered personal sensitive information:

• Race or ethnicity
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data
• Health data
• Sexual orientation and sex life

Businesses that fall under the GDPR need to prove any one of the following as a lawful basis to process any of the special categories of personal data legally:

• You get explicit consent from users to process the data for one or more specific purposes
• Processing is necessary for carrying out the obligations or exercising the rights of the controller or data subject in the context of employment, social security, and social protection law
• Data processing is necessary to protect the vital interests of the data subject or person who is legally incapable of giving autonomous consent
• Processing is necessary for foundations, associations, or any other not-for-profit body with political, philosophical, religious, or trade union aims on the condition that it relates solely to members or former members and the data is not disclosed outside of the body without the consent of the data subjects
• Processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in a judicial capacity
• Data processing is necessary for reasons of substantial public interest or on the basis of Union or Member State law as long as the fundamental rights of the data subject are safeguarded
• Processing the data is necessary for preventive occupational medicine, assessment of the working capacity of an employee, a medical diagnosis, or there are provisions for health or social care and treatments
• Data processing is needed for reasons of public interest in the area of public health, like cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or devices
• Processing the data is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes

If you collect personal sensitive information from users and fall under the jurisdiction of the GDPR, you must also store the data in secure ways that are in line with Article 32 of the law, which recommends the following technical measures:

• Pseudonymization and encryption of personal data
• Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Ability to restore the availability and access to personal data in a timely manner in the event of an incident
• Create a process of regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures of ensuring the security of the data processing

You should outline the legal basis for why and how you collect sensitive categories of data and the security measures in place for protecting it in distinct clauses in a GDPR-compliant privacy policy.

CCPA Definition of Sensitive Information

If you fall under the threshold of the CCPA, there is technically no separate definition for sensitive personal information outlined by the law, nor does it treat sensitive data differently than generic personal information.

Any personal information you collect from users, including SPI, must be outlined in a CCPA-compliant privacy policy following specific guidelines.

The screenshot below shows you the legal definition of personal information described in section 1798.140 of the CCPA.

The text of the law then lists the following details as examples of personal data:

• Real names, aliases, postal addresses, unique personal identifiers, online identifiers, internet protocol addresses, email addresses, account names, social security numbers, driver’s license numbers, passport numbers, or other similar identifiers
• Commercial information, records of personal property, products, or services purchased, obtained, considered, or other purchasing and consuming histories and tendencies
• Biometric information
• Internet and electronic network activity, information, browsing history, search history, information regarding consumer’s interaction with a website, application, or advertisement
• Geolocation data
• Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment-related information
• Education information that is not publicly available

But on January 1, 2023, the CPRA came into force, amending the CCPA regulations and providing a specific legal definition for sensitive personal information, permanently changing the phrasing within and how we interpret the CCPA.

We cover how the CPRA amended the CCPA in detail in the next section.

CPRA Definition of Sensitive Information

An amendment to the CCPA, the CPRA clearly defines sensitive information as a separate category of data and creates new rights for consumers and obligations for businesses that track, store, and use this type of data.

According to the definitions outlined by the CPRA in section 1798.40, sensitive personal information means details that reveal:

• A consumer’s social security, driver’s license, state identification card, or passport number
• A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or other credentials allowing entry into an account
• Precise geolocation
• Racial or ethnic origin, religious or philosophical beliefs, or union membership
• Contents of the consumer’s mail, email, and text messages unless the business is the intended recipient of communications
• Genetic data
• Processing biometric data for the purpose of identifying an individual
• Health data
• Sexual orientation

Consumers have the right to request to opt out of the selling or sharing of their sensitive personal information under the CPRA as outlined in section 1798.121 of the law.

To ensure your users can act on this data privacy right, you’re required to put a clear and conspicuous “Do Not Sell or Share My Personal Information” link on the homepage of your website or app.

But if you process sensitive personal information, you also need to include a “Limit the Use of My Sensitive Personal Information” link, as consumers now have the right to limit the processing of this type of data under the CPRA.

The law goes on to clarify that businesses do not need to include the link if opt-out preference signals from consumers sent with their consent by a platform, technology, or mechanism are used and followed, as shown in the highlighted text below.

The platforms, technology, and mechanisms referenced in this part of the law refer to browser settings like Global Privacy Control (GPC), which alert websites of a user’s consent preferences as soon as they enter the site.

Still, if you collect sensitive information and fall under the jurisdiction of the CPRA, ensure you abide by all appropriate legal regulations and restrictions to avoid trouble with the law.

CalOPPA Definition of Sensitive Information

Established in 2003, CalOPPA is the original law requiring websites with California visitors to post privacy policies, but it does not have a sensitive information category.

This law originally defined personally identifiable information (PII) in the US as any of the following details:

• First and last name
• Home or other physical address
• Email address
• Telephone number
• Social security number
• Any other identifier that permits the physical or online contacting of a specific individual
• Information concerning a user that the website or online service collects that can identify an individual when combined with an identifier described above

Under this law, entities that collect PII data from users must conspicuously post a privacy policy outlining:

• The categories of PII collected and whom it’s shared with
• If there is a process for consumers to review or request changes to their data
• How you’ll update consumers about changes to the privacy policy
• A clearly posted effective date
• Disclose how you respond to “do not track” signals or other mechanisms
• State if other parties may collect personal data about an individual’s online activities over time or across different websites
• Provide a clear and conspicuous hyperlink in the privacy policy explaining the “Do Not Track” request protocols you follow

But the CPRA and the CCPA expand upon the business obligations, consumer rights, and technical protocols originally outlined in CalOPPA, so be aware of how all three laws may affect your sensitive personal data tracking and processing.

Virginia CDPA Definition of Sensitive Information

One of the most recent US state data privacy laws, the Virginia Consumer Data Protection Act (CDPA), also legally establishes two categories of information, personal data and sensitive personal data.

Personal data is defined under Section 59.1-571 of the CDPA as:

… any information that is linked or reasonably linkable to an identified or identifiable natural person.

But it excludes any de-identified or publicly available information.

The law then defines a separate category of information called sensitive data, which encompasses any category of information that includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Processing of biometric or genetic data
• Any data collected from a known child
• Precise geolocation

Under this law, data controllers need explicit opt-in consumer consent to process sensitive data. This consent needs to be freely given by the consumer, informed, and unambiguous, as shown in the highlighted text in the screenshot below.

PIPEDA Definition of Sensitive Information

In Canada, the Personal Information Protection and Electronic Documents Act, or PIPEDA, is a federal data privacy law that imposes restrictions on how organizations collect and use personal data, including sensitive information.

In 2022, the Office of the Privacy Commissioner of Canada (OPC) issued an Interpretation Bulletin dealing with sensitive information, stating that under PIPEDA, any data could be considered sensitive depending on the context, highlighted for you in the screenshot below.

It clarifies that the following details are generally considered sensitive and require a higher degree of security and protection:

• Health data
• Financial data
• Ethnic or racial origins
• Political opinions
• Genetic data
• Biometric data
• Sexual orientation
• Religious beliefs
• Philosophical beliefs

If you collect SPI about Canadians and fall under PIPEDA, you must follow ten fair information principles outlined by the law and take extra measures to securely and appropriately store the data.

How Other Laws Define Sensitive Personal Information

There are additional laws around the world that impact the collection and use of sensitive personal data, so we’ve compiled several definitions for you in the table below.

While there’s overlap with how laws define sensitive information, each one also introduces unique identifiers, guidelines, and requirements businesses must follow to track, store, and use the data.

It can all feel overwhelming, but we’ve got your back.

Sensitive Personal Information FAQ

Learn even more about sensitive personal information by checking out some of the most frequently asked questions we get on the topic below.

Summary

Under data privacy laws like the CPRA and the GDPR, sensitive personal information is a distinct category of personal information, and businesses must handle it with additional safeguards.

Depending on the privacy law that applies, users also have different rights over their SPI. For example, the CPRA and the CCPA require you to post a “Do Not Sell or Share My Sensitive Information” link.

Because sensitive data includes vulnerable details like a person’s beliefs, sexual orientation, political affiliations, or race, exposing the data could cause harm to the user, like:

• Discrimination
• Humiliation
• Identity theft
• Fraud
• Character defamation

If you collect any details from users that fall under the category of SPI, take extra steps to ensure the data is securely stored and safe from potential hacks or breaches.

You should also conspicuously post a privacy policy on your website or app outlining what sensitive data you collect, the legal basis for why, and explain the rights users’ have over that data.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author