Yes and no.

The CCPA references directly, or by incorporating definitions from other code provisions, 55 data types that may fall under the broad definition of “personal information.”  While the CCPA does not label any data type as being more, or less, sensitive than another, the Act does confer special rights on a subset of data.  Specifically, the Act only permits consumers to bring suit if one of the following fourteen data types (in conjunction with the consumer’s name) is breached as a result of a failure to implement reasonable security:[1]

1. Social Security Number
2. Driver’s License Number
3. California Identification card number
4. Tax identification number
5. Passport number
6. Military identification number
7. Other unique identification number issued on a government document used to verify identity.
8. Account number
9. Credit card number (with required security code or password)
10. Debit card number (with required security code or password)
11. Medical information
12. Health insurance information
13. Unique biometric data
14. Username and password that would permit access to an online account.

It should be noted that the California Privacy Rights Act of 2020 (the “CPRA” or “Proposition 24”) – which will be on the California ballot in November – would create a new subcategory of data types that would be explicitly referenced as “sensitive.”  While this new subcategory overlaps with the data fields about which a consumer law suit could be brought there is not a perfect symmetry:

[1] CPRA Section 1798.150(a)(1) (incorporating by reference Cal. Civil Code 1798.81.5(d)(1)(A)(i)-(vi)).

[2] Proposed Section 1798.140(ae).