Yes.
The CPRA adds “sensitive personal information”[1] to the examples of data types that may constitute personal information. The term “sensitive personal information” is itself defined within the CPRA to include 20 data fields. Some, but not all, of these data fields already existed in the CCPA, and their inclusion with the personal information definition is, therefore, redundant. The following list identifies each data field classified as sensitive personal information.[2] Bolded items were already included as examples of personal information under the CCPA.
| Data Fields Identified as “Sensitive Personal Information” Under the CPRA[3] |
| Biometric information |
| California Identification card number |
| Contents of consumer’s email |
| Contents of consumer’s mail |
| Contents of consumer’s SMS texts |
| Credit card number (with required security code or password) |
| Debit card number (with required security code or password) |
| Driver’s License Number |
| Ethnic origin |
| Financial account number (which permits access to the account) |
| Genetic data |
| Health information |
| Passport number |
| Philosophical beliefs |
| Precise geolocation |
| Racial origin |
| Religious beliefs |
| Sex life or sexual orientation |
| Social Security Number |
| Trade union membership |
[1] Cal. Civil Code 1798.140(v)(1)(L).
[2] In addition to expanding the examples of personal information, the CPRA imposes new obligations upon companies that use sensitive personal information for purposes other than those enumerated within the Act.
[3] Cal. Civil Code 1798.140(ae).