What is sensitive personal information under the CPRA?

Introduction

Not all personal information is treated the same under California’s privacy law. While the CCPA establishes broad protections for personal information, the CPRA introduces the concept of sensitive personal information to address data types that pose heightened risks if misused, exposed, or used beyond a consumer’s reasonable expectations.

Sensitive personal information is not simply “more personal” data. It reflects categories of information that can reveal intimate details about an individual, enable precise tracking, or create meaningful risks of harm if used without appropriate limitations. Understanding this distinction is essential for businesses that already collect personal information and need to determine whether additional restrictions apply.

This article focuses specifically on sensitive personal information under the CPRA. For a broader explanation of what qualifies as personal information in the first place, see our guide on what is personal information under the CCPA.

How the CPRA defines sensitive personal information

Legal definition : Under California Civil Code section 1798.140(ae), sensitive personal information is a defined set of categories of personal information, such as certain government identifiers, precise geolocation, specific characteristics and beliefs, certain financial account and log-in data, the contents of certain communications, genetic and neural data, and personal information collected and analyzed about a consumer’s health or sex life.

In practice, sensitive personal information is a subset of personal information that the law treats differently because of the nature of the data involved. While all sensitive personal information is personal information, not all personal information is sensitive personal information.

The CPRA uses a list-based approach here. Instead of defining “sensitive” using a general risk test, it identifies specific categories and gives consumers a right to limit how that information is used or disclosed in certain situations.

How sensitive personal information differs from personal information

The key difference between personal information and sensitive personal information is not identifiability, but risk and use limitations.

Personal information focuses on whether data can reasonably be linked to a consumer or household. Sensitive personal information focuses on whether the nature of the data itself justifies tighter restrictions on use.

In simple terms:

• Personal information determines whether the CCPA/CPRA applies. Questions around scope and coverage are explained in more detail in our CCPA applicability guide.
• Sensitive personal information determines whether additional consumer controls may apply once the law already applies.

This distinction matters because businesses can comply with general personal information obligations while still triggering separate requirements for sensitive personal information, depending on how that data is used.

Categories of sensitive personal information under the CPRA

The CPRA lists specific categories of data that qualify as sensitive personal information. These categories are defined by statute.

Common categories include:

• Government-issued identifiers, including Social Security numbers, driver’s license numbers, state identification card numbers, and passport numbers
• Account log-in credentials and financial account or payment card numbers in combination with the required access code, password, or credentials that allow access to an account.
• Precise geolocation, meaning device-derived data used or intended to locate a consumer within a geographic area equal to or less than a circle with a 1,850-foot radius (except as prescribed by regulations)
• Racial or ethnic origin, religious or philosophical beliefs, union membership, and citizenship or immigration status
• Genetic data
• Neural data
• The contents of a consumer’s mail, email, and text messages, unless the business is the intended recipient of the communication
• Biometric data processed for the purpose of uniquely identifying a consumer
• Personal information collected and analyzed concerning a consumer’s health
• Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation

These categories are considered sensitive because of the potential consequences of misuse, unauthorized access, or secondary use beyond what consumers reasonably expect. To find out how certain data categories intersect with selling or sharing obligations you can consult our associated guide on selling and sharing under the CCPA.

Because the list is specific, a useful way to evaluate borderline cases is to ask: Does this data fall into one of the statute’s listed sensitive categories (including the built-in conditions, like “precise” geolocation or “in combination with” credentials)? If not, it may still be personal information, but not sensitive personal information under the CPRA.

When sensitive personal information triggers additional obligations

Collecting sensitive personal information does not automatically prohibit its use. Instead, the CPRA introduces a specific consumer right to limit the use and disclosure of sensitive personal information, depending on how that data is used and for what purpose.

Under California privacy law, consumers may have the right to limit a business’s use and disclosure of sensitive personal information to what is reasonably necessary to:

• Perform services or provide goods that an average consumer would reasonably expect when requesting those goods or services
• Carry out certain limited business purposes expressly permitted under the CPRA, such as security, fraud prevention, or maintaining system integrity

When sensitive personal information is used or disclosed beyond these limited purposes, consumers may be entitled to restrict that use.

The key trigger is not the collection of sensitive personal information, but how it is used or disclosed in practice. If a business uses sensitive personal information only for permitted purposes and clearly discloses that use, additional limitation mechanisms may not apply.

Practical example: A website collects standard analytics data such as IP addresses and page views to understand traffic patterns. This data qualifies as personal information because it can reasonably be linked to a visitor or household, but it is not sensitive on its own.

The same website also offers a store locator that uses precise geolocation to show nearby locations. Because precise geolocation is a listed category of sensitive personal information, additional considerations apply. If the location data is used only to provide the requested feature and is not retained or reused for other purposes, the right to limit use may not apply.

However, if the website later uses that precise location data to build user profiles, infer habits, or support targeted advertising, consumers may be entitled to limit the use of sensitive personal information, even though the data was originally collected in a functional context.

Limiting the use of sensitive personal information in practice

This framework is commonly referred to as “limiting the use of sensitive personal information.” Whether a business must support this limitation depends on several contextual factors, including:

• The category of sensitive personal information involved
• The purpose for which the data is used or disclosed
• Whether the use aligns with what an average consumer would reasonably expect in the context of the interaction

In some cases, businesses that collect sensitive personal information solely to provide requested services, or that process certain sensitive data without using it to infer characteristics about a consumer, may not be required to offer a separate limitation option, provided this is accurately reflected in their disclosures.

This limitation right is distinct from opt-out rights related to selling or sharing personal information. A business may be required to limit the use of sensitive personal information even if it does not sell or share personal information at all.

Why this distinction matters

Because sensitive personal information obligations are use-based rather than collection-based, businesses can satisfy general personal information requirements while still triggering additional obligations for sensitive personal information, depending on how that data is handled.

In practice, this often affects how sensitive personal information is described at the point of collection and in ongoing privacy disclosures. When sensitive personal information is used beyond permitted purposes, businesses may need to reflect those uses accurately in their notice at collection and privacy policy, alongside any applicable consumer choice mechanisms.

Accurately identifying when sensitive personal information is used beyond permitted purposes helps businesses align privacy disclosures, consumer choice mechanisms, and internal data practices with CPRA expectations.

Sensitive personal information and cookies or tracking technologies

A common question is whether cookies or online tracking data qualify as sensitive personal information.

In most cases, cookies and standard online identifiers are treated as personal information, not sensitive personal information. However, certain tracking data may qualify as sensitive personal information when it reveals sensitive attributes or enables precise tracking beyond general analytics.

For example:

• Precise geolocation data collected through websites or web-based services may qualify as sensitive personal information
• Biometric identifiers used for authentication may qualify as sensitive personal information

Whether a particular data element qualifies depends on what the data reveals and how it is used, not merely the technology involved. Broader considerations around cookies, tracking, and preference signals are covered in our CCPA and online tracking resources.

Practical examples of sensitive personal information in use

Seeing how sensitive personal information appears in real-world scenarios can help clarify when additional considerations may apply.

• Mobile app using precise location: A delivery or fitness app collects GPS-level location data to provide real-time services. Because the location data is precise and continuously collected, it may qualify as sensitive personal information, especially if used beyond what is necessary to provide the service.
• Biometric authentication: A website or application uses facial recognition or fingerprint data to authenticate users. Biometric identifiers used for identification or authentication purposes typically fall within sensitive personal information categories.
• Financial account access: An online service stores bank account numbers or payment credentials to enable recurring payments. This financial information is considered sensitive personal information due to the risk of misuse if accessed or disclosed improperly.
• Health-related platforms: A wellness or telehealth platform processes information about medical conditions or treatments. Even when access is restricted, this type of data may qualify as sensitive personal information under the CPRA.

Common misconceptions about sensitive personal information

Several misconceptions lead to confusion about when sensitive personal information obligations apply:

• Not all geolocation data is sensitive personal information. Only precise geolocation typically qualifies.
• Not all health-related data is sensitive personal information. Context and statutory definitions matter.
• Collecting sensitive personal information does not always require a separate link or notice. Obligations depend on use, not just collection.

Understanding these nuances helps businesses avoid both over- and under-applying CPRA requirements.

Why sensitive personal information matters for businesses

Sensitive personal information affects how businesses design data practices, particularly in areas such as:

• Product and service design
• Tracking and profiling decisions
• Disclosure accuracy in privacy notices
• Consumer choice mechanisms

Because sensitive personal information carries additional expectations around restraint and transparency, misclassifying or overlooking it can lead to misaligned disclosures or consumer controls.

Where tools and platforms can help

Once businesses understand how sensitive personal information is defined under the CPRA, the next challenge is determining how that data is collected, used, and disclosed across websites, applications, and internal systems. This is particularly relevant where sensitive attributes may be inferred or revealed through tracking technologies, authentication methods, or integrated services.

Platforms like Clym provide tools that can support privacy operations related to sensitive personal information, without replacing legal analysis or determining scope on their own. Relevant capabilities include:

• Cookie Scanner: Helps teams identify cookies, trackers, and scripts running on a website. This can support assessments of whether tracking technologies may collect data that reveals sensitive attributes, such as precise geolocation or biometric identifiers.
• Consent Widget: Provides a way to present privacy choices to website visitors and capture preference signals, which can be relevant when consumers are entitled to limit the use of sensitive personal information.
• Privacy & Cookie Policy Management: Supports the creation and updating of privacy and cookie notices, helping businesses accurately describe how sensitive personal information is handled and for what purposes.
• DSAR management: Provide structured intake and handling of consumer requests, including requests related to limiting the use of sensitive personal information.
• Governance Portal and Control Center: Offer centralized visibility into privacy-related configurations, documentation, and operational changes across domains and tools.

These tools can help teams translate sensitive personal information requirements into operational awareness as data practices, vendors, or tracking technologies evolve.

Next steps

Understanding sensitive personal information is a natural extension of understanding personal information under the CCPA. To see how these concepts fit into broader obligations, explore the CCPA compliance guide 2026 for businesses. For related topics, review guides on what is personal information under the CCPA, selling and sharing under the CCPA, and CCPA and online tracking under California privacy law.