Data privacy laws and regulations explicitly emphasize the protection and conscientious handling of individuals’ “sensitive personal information.” This is because sensitive personal information carries far greater risks to individuals should their data be disclosed than “regular” personal information.
If personal identifiable information can still be used to identify a specific individual or their household. What’s special about certain data or informational categories that make them “sensitive”?
Personal vs. Sensitive Personal Information (According to the CCPA)
Comparing personal vs. sensitive information presents a classic “square vs. rectangle” situation, where all sensitive personal information counts as personal information but not vice versa.
Fortunately, data privacy laws and regulations define what categories do and don’t receive this special designation. On the flip side, unfortunately, the privacy frameworks businesses must create to comply with the laws demonstrate subtle inconsistencies across their definitions.
To simplify this breakdown, let’s explore one definition first: the California Consumer Privacy Act (CCPA), as amended by the CPRA. This legislation was the first (and remains the most comprehensive) state privacy regulation data privacy law in the US, making it the perfect place for businesses to start.
Similarities Between Personal and Sensitive Information
Per the CCPA, personal and sensitive personal data (information) can be used to identify an individual or their household. Specifically:
“‘Personal information’ means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Generally speaking, if an unauthorized party accessing that information can use it to determine who a person is or where they reside, etc., it likely counts as personal information. Typically, Personal information” does not include deidentified consumer information or aggregate consumer information.
Similarities also include explicit consent requirements and the limits of collection and processing activities. Businesses:
- Must have individuals’ informed consent prior to or when collecting personal or sensitive information
- Cannot collect more data or use it for more purposes than those disclosed without providing additional notice
- Must inform individuals of how long it intends to retain the data or the criteria for that decision
Personal and Sensitive Data—Similar Exemptions
Crucially, one last similarity between personal and sensitive information involves the criteria that exempt data from privacy protections as outlined in the CCPA. These CCPA-outlined conditions are:
- If it was already publicly available via government records or the business reasonably believes initial publication occurred via the individual’s own actions or widely distributed media
- If it was lawfully obtained as a public matter (e.g., via search warrant) and is accurate
- If it is de-identified or aggregated
Differences Between Personal and Sensitive Information
The primary difference between personal information and SPI comes down to the privacy stakes involved. If a company violates the privacy of sensitive information, it renders those individuals much more vulnerable. They may become victims of:
- Identity theft
- Financial fraud
- Reputational damage
- Harassment or discrimination
Accordingly, the CCPA stipulates additional consideration for any sensitive data categories
Companies must perform these data privacy risk assessments to determine whether they’ve processed sensitive information and if the benefits of doing so for a given purpose outweigh the risks. For CCPA compliance, these assessments fall under the authority of the California Privacy Protection Agency, and final rulemaking is forthcoming.
Additionally, consumers may exercise their right to limit the use of their sensitive information to the following circumstances:
- Ensuring data security and integrity
- Same-session advertising if the data isn’t disclosed to third parties or used to compile profiles or alter consumer experiences
- Performing standard business purposes and operations (e.g., account or customer service, order fulfillment, financing)
- Verifying or maintaining service delivery and quality
Consumers exercising this right prevent businesses from using their sensitive information for marketing statistics, advertising or marketing services, or internal research.
Types of SPI
The CCPA explicitly categorizes the following as types of sensitive personal information:
- Government identification numbers—specifically, consumers’ social security numbers, driver’s licenses, state identification cards, and passport numbers.
- Account log-in, financial accounts, or debit or credit card numbers when combined with access credentials, such as passwords, cybersecurity codes or access codes, PINs
- Precise geolocation
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union memberships
- Message contents—specifically of physical mail, email, and text messages (unless consumers send these communications directly to a business)
- Genetic data
- Biometric data used to uniquely identify consumers
- Health data
- Sexual orientation or activity data
Sensitive Personal Information in Other US State Consumer Privacy Laws
Part of the confusion related to what is sensitive personal information is that, though similar, different privacy laws and regulations may define the data categories they describe (and their compliance-obligated protections) with slight variations.
- Colorado Privacy Act – The CPA doesn’t explicitly designate government ID numbers, union membership, or precise geolocation as sensitive information but does regard any personal information belonging to a known child as such. In comparison, California separately distinguishes privacy rights for those under 16—allowing those between 13 and 16 years old to provide consent and parents or guardians to do so for those under 13. Other data types are roughly equal.
- Connecticut Data Privacy Act – The CTDPA also doesn’t explicitly designate government ID numbers or union membership as sensitive information. However, it does include both precise geolocation and data belonging to a known child.
- Utah Consumer Privacy Act – The UCPA’s sensitive information categories similarly mirror Connecticut’s except for the “known child” distinction. However, the UCPA is also more notable for the permitted exemptions for otherwise sensitive information:
- Racial or ethnic origin if processed by a video communication service
- Medical history, mental or physical health conditions, medical treatments, or diagnoses if processed by a healthcare professional
- Virginia Consumer Data Privacy Act – The VCDPA’s sensitive information categories virtually mirror Connecticut’s.
“Special Categories” Protected by the GDPR
Before California made US history with the first data privacy law, the European Union established the General Data Protection Regulation (GDPR). Under Article 9, the following are listed as “Special Categories”:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data used to uniquely identify natural persons
- Sexual orientation or activity data
Relatively equivalent to US definitions and understanding of sensitive information, organizations (“data controllers”) cannot process these types of data without the individual’s (“data subject’s”) explicit consent or due to necessity. Permitted instances include employment, social security, legal claims, human services like an individual’s self-publication, healthcare delivery, public health, and public interest, or historical, scientific, or statistical research.
As with the CCPA, data controllers subject to the GDPR must perform regular risk assessments for large quantities of “Special Category” data. However, these official Data Protection Impact Assessments (DPIA) are more rigorous. Per Article 35, a DPIA consists of:
- The proposed processing activities and their purpose
- An evaluation of the data’s “proportionality” to its purpose
- An evaluation of the risks processing poses to the data subject
- Risk mitigation efforts
Considerations When Utilizing Sensitive Personal Information
Businesses managing “sensitive personal information” and “special category” personal data should consider the following:
- Notices at collection. Ensure individuals are notified of their rights and provide resources for them to learn more.
- Data Protection / Privacy Impact Assessments.
- Cybersecurity assessments. Evaluate cybersecurity implementations and configurations regularly to ensure any personal or sensitive information stored within company-owned environments is sufficiently protected.
- Data to processing mapping. Track and map all personal and sensitive information collected, processed, and stored.
- Company policies. Evaluate policies and procedures to ensure they reflect and respect the spirit of data privacy regardless of a given law or regulation’s applicability or requirements, such as establishing standard data retention timelines and criteria for deletion.
- Data subject requests. <restrictions on out-of-context SPI uses; explicit opt-out under CCPA, opt-in under VCDPA, legal basis + objection/restriction under GDPR>
These efforts will strongly position any business’ for compliance success (and help improve its consumer reputation).
Simplify Data Privacy Compliance with DataGrail
Even with the distinctions between personal and sensitive information, businesses sifting through the different definitions and protection requirements can easily encounter major interpretation or implementation challenges. However, implementing DataGrail’s platform streamlines and simplifies your data privacy processes.
With the CCPA and GDPR rules actively enforced and the coming enforcement of the remaining state-level laws, there’s no better time to optimize your data privacy compliance.
California Legislative Information. 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100]. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
California Legislative Information. Part 4. Obligations Arising From Particular Transactions [1738 – 3273.55]. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.80.
California State Senate. Protected Classes.https://www.senate.ca.gov/content/protected-classes
Colorado Legislature. Colorado Privacy Act. https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
State of Connecticut. Substitute Senate Bill No. 6, Public Act No. 22-15. https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF
Utah State Legislature. Consumer Privacy Act. https://le.utah.gov/~2022/bills/static/SB0227.html
Code of Virginia. Chapter 53. Consumer Data Protection Act. https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/
GDPR. Article 9: Processing of special categories of personal data. https://gdpr-info.eu/art-9-gdpr/
GDPR. Article 35: Data protection impact assessment. https://gdpr-info.eu/art-35-gdpr/
Department of Law Attorney General – Consumer Protection Section. Colorado Privacy Act Rules, Version 3 of Proposed Draft Rules (1-27-2023). https://coag.gov/app/uploads/2023/01/CPA_Version-3-Proposed-Draft-Regulations-1.27.2023.pdf