Skip to content

Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not expressly reference “sensitive” categories of personal information, but they functionally impart additional protections on certain categories of personal information. As a result, many data privacy attorneys colloquially refer to the fields as “sensitive” or “special.” For example, while the CCPA did not use the term “sensitive personal information” it imparted upon data subjects enhanced protections for specific data types (e.g., Social Security Number, Driver’s License Number) in the event of a data breach; this caused many privacy attorneys and privacy advocates to informally refer to those data types as being sensitive. The CPRA did use the term “sensitive personal information” which functionally created a second category of data types that received special status (albeit one that largely overlapped with the earlier category of data types).

It is worth noting that some privacy frameworks, such as the NIST Privacy Framework, do not define, or refer to, sensitive personal information. Other privacy frameworks, such as ISO 27701 and 29100, define the term generally (and circuitously) as any category of personal information “whose nature is sensitive” or that might have a significant impact on a data subject.

The following provides a side-by-side comparison of how some of the main data privacy statutes define the term:

Data Field GDPR

CCPA / CPRA

De Facto Sensitive As Given Enhanced Litigation Rights1

CPRA

Defined as Sensitive Personal Information2

VCDPA3
Biometric data

(only if used to uniquely identify a data subject)

(only in combination with name)

(only if used to uniquely identify a data subject)

(only if used to uniquely identify a data subject)

Child-collected data
Citizenship
Contents of consumer’s email
Contents of consumer’s mail
Contents of consumer’s SMS texts
Credit card number (with required security code or password)

(only in combination with name)

Debit card number (with required security code or password)

(only in combination with name)

Driver’s License Number

(only in combination with name)

Ethnic origin
Financial account number (which permits access to the account)

(only in combination with name)

Genetic data

(only if used to uniquely identify a data subject)

(only if used to uniquely identify a data subject)

Health information
Health insurance information

(only in combination with name)

Immigration Status
Medical or health information

(only in combination with name)

(mental or physical diagnosis)

Military identification number

(only in combination with name)

Other unique identification number issued on a government document used to verify identity

(only in combination with name)

Passport number

(only in combination with name)

Philosophical beliefs
Political opinion
Precise geolocation
Racial origin
Religious beliefs
Sex life
Sexual orientation
Social Security Number

(only in combination with name)

Tax identification number

(only in combination with name)

Trade union membership
Username and password that would permit access to an online account. [1]

1 Cal. Civ. Code 1798.150(a)(1) (West 2021) (incorporating by reference data fields referred to in Cal. Civ. Code 1798.81.5(d)(1)(A).

2 Cal. Civ. Code 1798.140(ae)(1), (2) (West 2021).

3 Va. Code 59.1-571.

[1] The CPRA refers to a “consumer’s account log-in” in combination with any required security or access code, password, or credentials allowing access to an account. Cal. Civ. Code § 1798.140(ae)(1)(B) (West 2021).