Yes and no.
The CCPA references directly, or by incorporating definitions from other code provisions, 55 data types that may fall under the broad definition of “personal information.” While the CCPA does not label any data type as being more, or less, sensitive than another, the Act does confer special rights on a subset of data. Specifically, the Act only permits consumers to bring suit if one of the following fourteen data types (in conjunction with the consumer’s name) is breached as a result of a failure to implement reasonable security:[1]
- Social Security Number
- Driver’s License Number
- California Identification card number
- Tax identification number
- Passport number
- Military identification number
- Other unique identification number issued on a government document used to verify identity.
- Account number
- Credit card number (with required security code or password)
- Debit card number (with required security code or password)
- Medical information
- Health insurance information
- Unique biometric data
- Username and password that would permit access to an online account.
It should be noted that the California Privacy Rights Act of 2020 (the “CPRA” or “Proposition 24”) – which will be on the California ballot in November – would create a new subcategory of data types that would be explicitly referenced as “sensitive.” While this new subcategory overlaps with the data fields about which a consumer law suit could be brought there is not a perfect symmetry:
Data Fields About Which a Lawsuit Could Be Brought Following a Breach | Data Fields Identified as “Sensitive Personal Information” Under the CPRA[2] |
Social Security Number | Social Security Number |
Driver’s License Number | Driver’s License Number |
California Identification card number | California Identification card number |
Tax identification number | |
Passport number | Passport number |
Military identification number | |
Other unique identification number issued on a government document used to verify identity. | |
Financial account number (which permits access to the account) | Financial account number (which permits access to the account) |
Credit card number (with required security code or password) | Credit card number (with required security code or password) |
Debit card number (with required security code or password) | Debit card number (with required security code or password) |
Medical information | |
Health insurance information | |
Unique biometric data | |
Username and password that would permit access to an online account. | |
Precise geolocation | |
Racial origin | |
Ethnic origin | |
Religious beliefs | |
Philosophical beliefs | |
Trade union membership | |
Contents of consumer’s mail | |
Contents of consumer’s email | |
Contents of consumer’s SMS texts | |
Genetic data | |
Biometric information | |
Health information | |
Sex life or sexual orientation |
[1] CPRA Section 1798.150(a)(1) (incorporating by reference Cal. Civil Code 1798.81.5(d)(1)(A)(i)-(vi)).
[2] Proposed Section 1798.140(ae).