Skip to content


The CPRA adds “sensitive personal information”[1] to the examples of data types that may constitute personal information. The term “sensitive personal information” is itself defined within the CPRA to include 20 data fields. Some, but not all, of these data fields already existed in the CCPA, and their inclusion with the personal information definition is, therefore, redundant. The following list identifies each data field classified as sensitive personal information.[2] Bolded items were already included as examples of personal information under the CCPA.

Data Fields Identified as “Sensitive Personal Information” Under the CPRA[3]
Biometric information
California Identification card number
Contents of consumer’s email
Contents of consumer’s mail
Contents of consumer’s SMS texts
Credit card number (with required security code or password)
Debit card number (with required security code or password)
Driver’s License Number
Ethnic origin
Financial account number (which permits access to the account)
Genetic data
Health information
Passport number
Philosophical beliefs
Precise geolocation
Racial origin
Religious beliefs
Sex life or sexual orientation
Social Security Number
Trade union membership

[1] Cal. Civil Code 1798.140(v)(1)(L).

[2] In addition to expanding the examples of personal information, the CPRA imposes new obligations upon companies that use sensitive personal information for purposes other than those enumerated within the Act.

[3] Cal. Civil Code 1798.140(ae).