Skip to main content

Sensitive Personal Information

What Is Sensitive Personal Information?

Sensitive personal information generally refers to data that, if disclosed, could harm someone or violate their privacy. 

Although the exact definition varies depending on the privacy law in question, sensitive personal information typically includes information like precise geolocation, health information, Social Security numbers, financial information, and religious or philosophical beliefs. 

This type of information usually requires a higher level of protection due to its potentially harmful nature if misused. 

Third-party definition 

Personal information that reveals: (a) consumer’s social security, driver’s license, state identification card, or passport number; (b) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) A consumer’s precise geolocation; (d) A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (e) the contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; (f) A consumer’s genetic data; (g) health related data. – Clym

Sensitive Personal Information vs. Personal Information

Sensitive personal information is a subset of personal information, which is data that identifies a person. 

Sensitive personal information requires more robust protection than personal information due to its nature and potential harm that could come from its compromise or misuse. 

The distinction lies in the level of impact on the individual’s privacy and the potential risks involved if the data were to be accessed or disclosed without authorization. 

Sensitive Personal Information Under the GDPR

As per the European General Data Protection Regulation (GDPR), sensitive data (or special categories of personal data) includes genetic data, biometric data, and health data. 

It also includes personal data that reveals ethnic and racial origin, religious/ideological convictions, trade union membership, and political opinions. 

Sensitive Personal Information Under US State Laws

The definition of sensitive personal information is similar across different US state laws. 

For example, in California, the California Consumer Privacy Act (CCPA) defines sensitive personal information as:

  • Government identifiers (like Social Security numbers).
  • Precise geolocation.
  • Account details (like logins and passwords).
  • Financial information (like debit/credit card numbers with security codes).
  • Genetic data.
  • Biometric information.
  • Private communications (like text messages, mail, and email).
  • Racial or ethnic origin.
  • Union membership.
  • Religious or philosophical beliefs.
  • Information about a person’s health, sexual orientation, or sex life. 

In 2023, California Gov. Gavin Newsom signed Assembly Bill 947 (AB 947) into law, which added citizenship and immigration status to the CCPA’s definition of “sensitive personal information.”

Under the CCPA, consumers can limit how businesses use and disclose personal information that’s deemed sensitive. 

Under the Connecticut Data Privacy Act (CTDPA), sensitive data includes:

  • Genetic and biometric data.
  • Precise geolocation data.
  • Personal data of anyone who is under the age of 13.
  • Data that reveals a person’s religious beliefs, racial or ethnic origins, sexual activity or orientation, immigration status, citizenship, and physical or mental health diagnoses and conditions. 

Controllers must get consumers’ consent before processing sensitive data under the CTDPA.

If you live in a state with a privacy law, you can see what qualifies as sensitive data by searching for “ (your state law) + sensitive personal information.”

How to Keep Your Sensitive Personal Information Private

Unfortunately, when it comes to keeping your sensitive personal information private, much of it is out of your hands and in the hands of the organization that has it—especially if you live in a state without a comprehensive consumer privacy law. 

However, there are some steps you can take to improve the privacy of your sensitive personal information. These include the following: 

  • Limiting the use and disclosure of your sensitive personal information. Depending on where you live, you might be able to limit how businesses use and disclose the sensitive personal information they collect about you. 
  • Using strong passwords. Create complex and unique passwords (potentially with the help of a password manager) for each account to reduce the risk of criminals breaking into your accounts. Avoid using easily guessable passwords like birthdays or common words. 
  • Enable multi-factor authentication. Where available, turn on multi-factor authentication (MFA). That way, even if someone has your passwords, they still won’t be able to log into your accounts and potentially access even more sensitive information. 
  • Be mindful of phishing scams. Watch out for phishing emails or messages that try to get you to reveal sensitive personal information. 
  • Don’t share sensitive personal information. Be thoughtful about the personal information you share online, especially on social media. 
  • Shred sensitive documents. Before disposing of physical documents that contain sensitive information (like bank statements, utility bills, or medical records), properly destroy them.
  • Opt out of data brokers. Remove your name from data broker sites that might be selling your sensitive personal information to others. Remember to do so continuously – data brokers relist your information when they come across more data. Or, subscribe to a data broker removal service like DeleteMe