What Is Sensitive Data?

Certain categories of personal data are singled out by privacy laws for enhanced protections. Businesses that process these types of data may need to comply with additional requirements, depending on the jurisdiction.


U.S. State Privacy Laws (except California)

The following categories of data are considered "sensitive data" by U.S. state privacy laws. Processing these types of data requires consumer consent, and triggers the need for a data protection assessment (DPA).


  • Any data that reveals the following:
    • Racial or ethnic origin
    • Religious beliefs
    • Mental or physical health condition or diagnosis
    • Sex life
    • Sexual orientation
    • Citizenship or immigration status
  • Consumer health data,
  • Genetic or biometric data (when processed for the purpose of uniquely identifying an individual)
  • Personal data collected from a known child under the age of 13
  • Data concerning an individual's status as a victim of crime
  • Precise geolocation data

CCPA

The following categories are considered "sensitive personal information" under the CCPA. Processing this data may trigger a consumer's Right to Limit Use and Disclosure of Sensitive Personal Information, and in the future will likely also trigger the need to create a California-specific DPA.

  • Personal information that reveals:
    • A consumer’s social security, driver’s license, state identification card, or passport number
    • A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
    • A consumer’s precise geolocation
    • A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
    • The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
    • A consumer’s genetic data
  • Biometric information (when processed for the purpose of uniquely identifying a consumer)
  • Personal information collected and analyzed concerning a consumer’s health
  • Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation

GDPR

The GDPR prohibits the processing of "special categories of personal data" unless the data subject consents, or in certain other limited circumstances. The following are considered special categories of personal data.

  • Data revealing:
    • Racial or ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership
  • Genetic or biometric data (when processed for the purpose of uniquely identifying an individual)
  • Data concerning health
  • Data concerning a natural person's sex life or sexual orientation