The CPRA adds “sensitive personal information” to the examples of data types that may constitute personal information. The term “sensitive personal information” is itself defined within the CPRA to include 20 data fields. Some, but not all, of these data fields already existed in the CCPA, and their inclusion with the personal information definition is, therefore, redundant. The following list identifies each data field classified as sensitive personal information. Bolded items were already included as examples of personal information under the CCPA.
|Data Fields Identified as “Sensitive Personal Information” Under the CPRA|
|California Identification card number|
|Contents of consumer’s email|
|Contents of consumer’s mail|
|Contents of consumer’s SMS texts|
|Credit card number (with required security code or password)|
|Debit card number (with required security code or password)|
|Driver’s License Number|
|Financial account number (which permits access to the account)|
|Sex life or sexual orientation|
|Social Security Number|
|Trade union membership|
 Cal. Civil Code 1798.140(v)(1)(L).
 In addition to expanding the examples of personal information, the CPRA imposes new obligations upon companies that use sensitive personal information for purposes other than those enumerated within the Act.
 Cal. Civil Code 1798.140(ae).