HB Ad Slot
HB Mobile Ad Slot
What is Considered Sensitive Personal Information?
Friday, May 14, 2021

Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not expressly reference “sensitive” categories of personal information, but they functionally impart additional protections on certain categories of personal information. As a result, many data privacy attorneys colloquially refer to the fields as “sensitive” or “special.” For example, while the CCPA did not use the term “sensitive personal information” it imparted upon data subjects enhanced protections for specific data types (e.g., Social Security Number, Driver’s License Number) in the event of a data breach; this caused many privacy attorneys and privacy advocates to informally refer to those data types as being sensitive. The CPRA did use the term “sensitive personal information” which functionally created a second category of data types that received special status (albeit one that largely overlapped with the earlier category of data types).

It is worth noting that some privacy frameworks, such as the NIST Privacy Framework, do not define, or refer to, sensitive personal information. Other privacy frameworks, such as ISO 27701 and 29100, define the term generally (and circuitously) as any category of personal information “whose nature is sensitive” or that might have a significant impact on a data subject.

The following provides a side-by-side comparison of how some of the main data privacy statutes define the term:

Data Field

GDPR

CCPA / CPRA

De Facto Sensitive As Given Enhanced Litigation Rights1

CPRA

Defined as Sensitive Personal Information2

VCDPA3

Biometric data

(only if used to uniquely identify a data subject)

(only in combination with name)

(only if used to uniquely identify a data subject)

(only if used to uniquely identify a data subject)

Child-collected data

 

 

 

Citizenship

 

 

 

Contents of consumer’s email

 

 

 

Contents of consumer’s mail

 

 

 

Contents of consumer’s SMS texts

 

 

 

Credit card number (with required security code or password)

 

(only in combination with name)

 

Debit card number (with required security code or password)

 

(only in combination with name)

 

Driver’s License Number

 

(only in combination with name)

 

Ethnic origin

 

Financial account number (which permits access to the account)

 

(only in combination with name)

 

Genetic data

(only if used to uniquely identify a data subject)

 

(only if used to uniquely identify a data subject)

Health information

 

 

 

Health insurance information

 

(only in combination with name)

 

 

Immigration Status

 

 

 

Medical or health information

(only in combination with name)

 

(mental or physical diagnosis)

Military identification number

 

(only in combination with name)

 

 

Other unique identification number issued on a government document used to verify identity

 

(only in combination with name)

 

 

Passport number

 

(only in combination with name)

 

Philosophical beliefs

 

 

Political opinion

 

 

 

Precise geolocation

 

 

Racial origin

 

Religious beliefs

 

Sex life

 

 

Sexual orientation

 

Social Security Number

 

(only in combination with name)

 

Tax identification number

 

(only in combination with name)

 

 

Trade union membership

 

 

Username and password that would permit access to an online account.

 

[1]

 

1 Cal. Civ. Code 1798.150(a)(1) (West 2021) (incorporating by reference data fields referred to in Cal. Civ. Code 1798.81.5(d)(1)(A).

2 Cal. Civ. Code 1798.140(ae)(1), (2) (West 2021).

3 Va. Code 59.1-571.

[1] The CPRA refers to a “consumer’s account log-in” in combination with any required security or access code, password, or credentials allowing access to an account. Cal. Civ. Code § 1798.140(ae)(1)(B) (West 2021).

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins