Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not expressly reference “sensitive” categories of personal information, but they functionally impart additional protections on certain categories of personal information. As a result, many data privacy attorneys colloquially refer to the fields as “sensitive” or “special.” For example, while the CCPA did not use the term “sensitive personal information” it imparted upon data subjects enhanced protections for specific data types (e.g., Social Security Number, Driver’s License Number) in the event of a data breach; this caused many privacy attorneys and privacy advocates to informally refer to those data types as being sensitive. The CPRA did use the term “sensitive personal information” which functionally created a second category of data types that received special status (albeit one that largely overlapped with the earlier category of data types).
It is worth noting that some privacy frameworks, such as the NIST Privacy Framework, do not define, or refer to, sensitive personal information. Other privacy frameworks, such as ISO 27701 and 29100, define the term generally (and circuitously) as any category of personal information “whose nature is sensitive” or that might have a significant impact on a data subject.
The following provides a side-by-side comparison of how some of the main data privacy statutes define the term:
Data Field | GDPR |
CCPA / CPRA De Facto Sensitive As Given Enhanced Litigation Rights1 |
CPRA Defined as Sensitive Personal Information2 |
VCDPA3 |
Biometric data |
(only if used to uniquely identify a data subject) |
(only in combination with name) |
(only if used to uniquely identify a data subject) |
(only if used to uniquely identify a data subject) |
Child-collected data | ||||
Citizenship | ||||
Contents of consumer’s email | ||||
Contents of consumer’s mail | ||||
Contents of consumer’s SMS texts | ||||
Credit card number (with required security code or password) |
(only in combination with name) |
|||
Debit card number (with required security code or password) |
(only in combination with name) |
|||
Driver’s License Number |
(only in combination with name) |
|||
Ethnic origin | ||||
Financial account number (which permits access to the account) |
(only in combination with name) |
|||
Genetic data |
(only if used to uniquely identify a data subject) |
(only if used to uniquely identify a data subject) |
||
Health information | ||||
Health insurance information |
(only in combination with name) |
|||
Immigration Status | ||||
Medical or health information |
(only in combination with name) |
(mental or physical diagnosis) |
||
Military identification number |
(only in combination with name) |
|||
Other unique identification number issued on a government document used to verify identity |
(only in combination with name) |
|||
Passport number |
(only in combination with name) |
|||
Philosophical beliefs | ||||
Political opinion | ||||
Precise geolocation | ||||
Racial origin | ||||
Religious beliefs | ||||
Sex life | ||||
Sexual orientation | ||||
Social Security Number |
(only in combination with name) |
|||
Tax identification number |
(only in combination with name) |
|||
Trade union membership | ||||
Username and password that would permit access to an online account. | [1] |
1 Cal. Civ. Code 1798.150(a)(1) (West 2021) (incorporating by reference data fields referred to in Cal. Civ. Code 1798.81.5(d)(1)(A).
2 Cal. Civ. Code 1798.140(ae)(1), (2) (West 2021).
3 Va. Code 59.1-571.
[1] The CPRA refers to a “consumer’s account log-in” in combination with any required security or access code, password, or credentials allowing access to an account. Cal. Civ. Code § 1798.140(ae)(1)(B) (West 2021).