Sensitive personal information, a legal category of personal information, must be stored and handled in specific ways under laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) due to its vulnerability.
While the legal definition of personal information changes under different privacy laws, it refers to any data that can directly or indirectly identify an individual or household.
Sensitive information, however, can determine things like a person’s opinions, personal preferences, or additional susceptible details that could lead to fraud, identity theft, or other harm if the data is leaked, breached, or compromised.
Below, learn the differences between personal and sensitive information and how to handle this type of data collection under different privacy laws that may impact your business.
Definition of Sensitive Personal Information
Sensitive personal information, sometimes called SPI, is data that is subject to strict protection guidelines under laws like the GDPR and the CCPA and includes very intimate details, such as:
- Political affiliations
- Religious beliefs
- Philosophical beliefs
- Race or ethnicity
- Sexual orientation
- Health data
- Biometric data
- Criminal history
- Credit or financial data
- Trade union and membership information
- Personal identification (ID) numbers — license, social security, state ID cards, passports
Some laws set stricter guidelines for collecting, using, and securely storing this type of information because of the vulnerable nature of the data.
If SPI is compromised or breached, it could cause permanent harm to the individual’s quality of life or impact their ability to perform daily activities, so it’s essential to follow all relevant legal guidelines if you deal with sensitive user data.
The Differences Between Personal vs. Sensitive Information
The differences between personal and sensitive information are subtle, but SPI is technically a distinct category of personal data that you must treat, store, and handle differently based on applicable privacy laws.
Broadly speaking, personal information refers to any data that can directly or indirectly identify a person or household.
Personal information can include any of the following details:
- Names
- Email addresses
- Mailing addresses
- IP addresses
- Phone numbers
- Dates of birth
- ZIP codes
- Sensitive information
But SPI, by nature, is more vulnerable than other personal identifiers.
Sensitive personal data examples include:
- A person’s beliefs
- Medical and genetic data
- Criminal histories
- Opinions
- Sexual identity
- Race
- Other more intimate details
If either type of data is leaked, it could harm the affected individuals, but the unauthorized access of sensitive data is particularly harmful as it could lead to:
- Discrimination
- Harassment
- Identity theft
- Other types of permanent harm
Therefore, different data privacy laws dictate how businesses can legally collect, store, and use such delicate information and grant users more rights over that data.
Types and Examples of Sensitive Personal Information
Data privacy laws use different definitions for sensitive data, so we’ve outlined what is and is not an example of sensitive information based on a few of the most significant pieces of legislation, including the:
- General Data Privacy Regulation (GDPR) — official legal text
- California Consumer Protection Act (CCPA) — official legal text
- Virginia Consumer Data Protection Act (VCDPA) — official legal text
- Australian Privacy Act 1988 — official legal text
What Is Considered Sensitive Personal Information?
Take a look at the table below to see a list of examples of sensitive personal data and the relevant privacy laws that include it in their legal definition of SPI.
| Applicable Data Privacy Law(s) | Type of Sensitive Personal Information |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
It’s important to note that, in some cases, the information above only qualifies as sensitive data if it’s in tandem with other personal details, like a person’s full name or the relevant information to provide login access to someone’s account.
Plus, some laws, like the GDPR, purposefully use broad definitions so the term can encompass other types of details not currently listed.
So, while the table above is a good place to start, it’s by no means exhaustive — many other data privacy laws around the world impact how businesses collect, store, and process personal data and SPI.
What Is Not Considered Sensitive Personal Information?
Depending on what privacy laws you fall under, the following details might not qualify as sensitive personal information:
- Publicly available information from federal, state, or local government records.
- Lawfully obtained, truthful information that is a matter of public concern.
- Information a business has a reasonable basis to believe is made lawfully available to the general public by the consumer or by widely distributed media.
- Information made available by a person to whom the consumer has disclosed the data if the consumer has not restricted that information to a specific audience.
However, what is and isn’t considered SPI can change from one law to another.
For example, the GDPR clarifies that it always considers certain types of data to be SPI but grants six specific instances when those categories are allowed to be processed by a data controller, which include:
- Getting explicit consent from data subjects before any tracking begins
- Performing contractual obligations
- Legal obligations for compliance with the law
- To carry out vital interests and protect or save someone’s life
- For the legitimate interest of the data controller
- For carrying out essential tasks in the public interest
The nuances of data privacy laws are subtle but important to understand, especially when collecting sensitive information.
How Privacy Laws Address Sensitive Information
In the next section, we look at the technical definition of sensitive personal information according to all of the following laws and provide you with guidelines for remaining in compliance with each one:
- General Data Protection Regulation (GDPR)
- California Consumer Protection Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
- California Online Privacy Protection Act (CalOPPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Additional laws from around the world
GDPR Definition of Sensitive Information
According to the GDPR, sensitive information is a special category of personal data, and to legally collect and use it, you need to prove a lawful basis for processing this type of information.
The screenshot below shows the legal definition of sensitive personal information according to Article 9 of the law.
Under the GDPR, the following details are considered personal sensitive information:
- Race or ethnicity
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sexual orientation and sex life
To legally process any special categories of personal data, businesses must prove one of the following lawful bases:
- You obtained explicit consent from users to process the data for one or more specific purposes.
- Processing is necessary for carrying out the obligations or exercising the rights of the controller or data subject in the context of employment, social security, and social protection law.
- Data processing is necessary to protect the vital interests of the data subject or person who is legally incapable of giving autonomous consent.
- Processing is necessary for foundations, associations, or any other not-for-profit body with political, philosophical, religious, or trade union aims on the condition that it relates solely to members or former members and the data is not disclosed outside of the body without the consent of the data subjects.
- Processing is necessary for establishing, exercising, or defending legal claims or when courts are acting in a judicial capacity.
- Data processing is necessary for substantial public interest or on the basis of Union or Member State law as long as the data subject’s fundamental rights are safeguarded.
- Processing the data is necessary for preventive occupational medicine, assessment of the working capacity of an employee, a medical diagnosis, or there are provisions for health or social care and treatments.
- Data processing is needed for public interest in public health, like cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or devices.
- Processing data is necessary for archiving purposes in the public interest, scientific or historical research, or statistical purposes.
To collect personal sensitive information from users under the GDPR, you must also store the data in secure ways that align with Article 32 of the law, which recommends the following technical measures:
- Pseudonymization and encryption of personal data.
- Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Ability to restore the availability and access to personal data promptly in the event of an incident.
- Create a process of regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the data processing.
Outline the legal basis for why and how you collect sensitive categories of data and the security measures in place for protecting it in distinct clauses in a GDPR-compliant privacy policy.
CCPA/CPRA Definition of Sensitive Information
When the CPRA came into force, it amended the CCPA and created a specific legal definition for sensitive personal information, permanently changing how we interpret the CCPA.
It also created new consumer rights and obligations for businesses that track, store, and use this data type.
According to section 1798.40 of the amendment, sensitive personal information means details that reveal:
- A consumer’s social security, driver’s license, state identification card, or passport number
- A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or other credentials allowing entry into an account
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Contents of the consumer’s mail, email, and text messages unless the business is the intended recipient of communications
- Genetic data
- Processing biometric data for the purpose of identifying an individual
- Health data
- Sexual orientation
Under this amended law, consumers have the right to request to opt out of the selling or sharing of their sensitive personal information, as outlined in section 1798.121.
To ensure users can act on this privacy right, businesses must put a clear, conspicuous “Do Not Sell or Share My Personal Information” link on the homepage of their website or app.
If you process sensitive personal information, you also need a “Limit the Use of My Sensitive Personal Information” link, as consumers also have the right to limit the processing of SPI under the CCPA as amended by the CPRA.
But the law clarifies that businesses don’t need to include links if opt-out preference signals from consumers sent with their consent by a platform, technology, or mechanism are used and followed, as shown in the screenshot below.
The platforms, technology, and mechanisms referenced in this part of the law refer to browser settings like Global Privacy Control (GPC), which alert websites of a user’s consent preferences as soon as they enter the site.
Any personal information you collect from users, including SPI, must be outlined in a CCPA-compliant privacy policy following specific guidelines.
CCPA Definition of Sensitive Information Before the CPRA Amendments
Before the CPRA amended the CCPA, there was no distinction between regular personal data and sensitive information.
See the screenshot below for the original legal definition of personal information described in section 1798.140 of the CCPA.
The original text of the law listed the following details as examples of personal data:
- Real names, aliases, postal addresses, unique personal identifiers, online identifiers, internet protocol addresses, email addresses, account names, social security numbers, driver’s license numbers, passport numbers, or other similar identifiers
- Commercial information, records of personal property, products, or services purchased, obtained, considered, or other purchasing and consuming histories and tendencies
- Biometric information
- Internet and electronic network activity, information, browsing history, search history, information regarding consumer’s interaction with a website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information that is not publicly available
Now, a category of sensitive information exists, has a complete definition, and is subject to stricter requirements than regular personal data.
CalOPPA Definition of Sensitive Information
Established in 2003, CalOPPA is the original law requiring websites with California visitors to post privacy policies, but it does not have a sensitive information category.
CalOPPA originally defined personally identifiable information (PII) in the US as any of the following details:
- First and last name
- Home or other physical address
- Email address
- Telephone number
- Social security number
- Any other identifier that permits the physical or online contacting of a specific individual
- Information concerning a user that the website or online service collects that can identify an individual when combined with an identifier described above
Under this law, entities that collect PII must conspicuously post a privacy policy outlining:
- The categories of PII collected and whom it’s shared with
- If there is a process for consumers to review or request changes to their data
- How you’ll update consumers about changes to the privacy policy
- A clearly posted effective date
- Disclose how you respond to “do not track” signals or other mechanisms
- State if other parties may collect personal data about an individual’s online activities over time or across different websites
- Provide a clear and conspicuous hyperlink in the privacy policy explaining the “Do Not Track” request protocols you follow
But the CCPA as amended by the CPRA expand the business obligations, consumer rights, and technical protocols originally outlined in CalOPPA, so be aware of how all three laws may affect your sensitive personal data tracking and processing.
Virginia CDPA Definition of Sensitive Information
One of the newer US state data privacy law, the Virginia Consumer Data Protection Act (VCDPA) legally establishes two categories of information, personal data and sensitive personal data.
Personal data is defined under Section 59.1-571 of the CDPA as:
… any information that is linked or reasonably linkable to an identified or identifiable natural person.
But it excludes any de-identified or publicly available information.
The law also defines a separate category of information called sensitive data, which encompasses any category of information that includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Processing of biometric or genetic data
- Any data collected from a known child
- Precise geolocation
Under the VCDPA, data controllers need explicit opt-in consumer consent to process sensitive data, which must be freely given by the consumer, informed, and unambiguous, as shown in the screenshot below.
PIPEDA Definition of Sensitive Information
In Canada, the Personal Information Protection and Electronic Documents Act, or PIPEDA, is a federal data privacy law that imposes restrictions on how organizations collect and use personal data, including sensitive information.
In 2022, the Office of the Privacy Commissioner of Canada (OPC) issued an Interpretation Bulletin dealing with sensitive information, stating that under PIPEDA, any data could be considered sensitive depending on the context, highlighted in the screenshot below.
It clarifies that the following details are generally considered sensitive and require a higher degree of security and protection:
- Health data
- Financial data
- Ethnic or racial origins
- Political opinions
- Genetic data
- Biometric data
- Sexual orientation
- Religious beliefs
- Philosophical beliefs
If you collect SPI and fall under PIPEDA, you must follow ten fair information principles outlined by the law and take extra measures to securely and appropriately store the data.
How Other Laws Define Sensitive Personal Information
Additional laws around the world impact the collection and use of sensitive personal data, so we’ve compiled several definitions for you in the table below.
| Data Privacy Legislation | Definition of Sensitive Personal Information |
| General Data Protection Regulation (GDPR) |
|
| California Privacy Rights Act (CPRA) |
|
| California Consumer Protection Act (CCPA) |
|
| Virginia Consumer Data Protection Act (VCDPA) |
|
| Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
| Australian Privacy Act 1988 |
|
| New Zealand Privacy Act of 2020 |
|
| China Personal Information Protection Law (PIPL) |
|
| Mexico Federal Law on the Protection of Personal Data Held by Private Parties |
|
While there’s overlap with how laws define sensitive information, each one introduces unique identifiers, guidelines, and requirements businesses must follow to track, store, and use it.
It can all feel overwhelming, but we’ve got your back.
Sensitive Personal Information FAQ
Learn even more about sensitive personal information by checking out some of the most frequently asked questions we get on the topic below.
How do I know if I collect sensitive personal information?
You can tell if you collect personal sensitive information by comparing the type of personal user data you track to the different legal definitions of sensitive personal data.
Sensitive personal information examples may include any of the following:
- Race or ethnicity
- Political affiliations
- Religious or philosophical beliefs
- Trade union or association memberships
- Health or genetics data
- Biometrics data
- Sexual orientation
How is sensitive personal information used?
Businesses use sensitive personal information to improve or create a more personalized online experience for users, gain insight into how people interact with a site, or send targeted ads.
How is sensitive personal information collected?
Websites or apps collect sensitive information through third-party trackers, cookies, first-party data collection methods, or when a user gives data through things like a sign-up form, payment form, or new user profile.
Why is protecting sensitive personal information important?
Protecting sensitive personal information from data breaches is important because of the nature of the data — if it falls into malicious hands, it could lead to fraud, identity theft, character defamation, or other types of harm.
How do I disclose that I collect sensitive personal information?
You can disclose your collection of sensitive personal information to users by making a thorough privacy policy and linking it somewhere conspicuous, like a pop-up consent banner and the footer of your site, so users can read and choose to consent to it or choose not.
To collect and use this data but stay in compliance with laws like the GDPR, CalOPPA, and the CPRA, your privacy policy must explain:
- Whether or not you collect sensitive information
- If you share or sell the sensitive information with others
- How you securely store or protect the sensitive information you collect
- Users’ rights over their sensitive personal information
How can consumers control their sensitive personal information?
Depending on the laws that cover the individuals, consumers can control their sensitive personal information by:
- Accessing consent tools on websites or browsers and opting out of (or into) the collection of their data.
- Submitting Data Subject Access Request (DSAR) forms.
- Using “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links and submitting the proper forms.
Summary
Under privacy laws like the CCPA and the GDPR, sensitive personal information is a distinct category of data, and businesses must handle it with additional safeguards.
Depending on the privacy law that applies, users have different rights over their SPI compared to regular categories of personal data.
Because sensitive data includes vulnerable details like a person’s beliefs, sexual orientation, political affiliations, or race, exposing the data could cause harm to the user, including:
- Discrimination
- Humiliation
- Identity theft
- Fraud
- Character defamation
If you collect any details from users that fall under the category of SPI, take extra steps to ensure the data is securely stored and safe from potential cybercrimes.
Conspicuously post a privacy policy on your website or app outlining what sensitive data you collect, the legal basis for why, and explain the rights users have over that data.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
