Sensitive personal information
What is sensitive personal information?
Sensitive personal information refers to data that carries higher privacy risk because it reveals intimate, unique, or potentially harmful details about an individual. Many privacy frameworks treat this category differently from general personal information, as misuse could expose someone to discrimination, financial harm, or unwanted profiling. This often includes identifiers, geolocation, health details, biometrics, or characteristics that require stronger safeguards and clearer purpose limitations.
What is sensitive personal information under CCPA-CPRA?
Sensitive personal information is a category of data defined by the CCPA-CPRA that includes information that may expose individuals to greater privacy risks. It includes Social Security numbers, government identifiers, financial account access data, precise geolocation, racial or ethnic origin, health information, biometric data, union membership, and sexual orientation. Consumers have special rights to limit how sensitive personal information is used or shared.
Why does sensitive personal information matter?
Sensitive personal information requires stronger safeguards, purpose limitations, and consumer controls. Misuse or unnecessary processing of sensitive personal information can lead to significant privacy risk, so the CCPA-CPRA grants consumers the ability to restrict certain uses. Businesses must understand which data qualifies as sensitive personal information to apply appropriate protections, limit processing to the stated purpose, and provide clear notices.
FAQs about sensitive personal information
Government identifiers, precise geolocation, racial or ethnic origin, union membership, health and biometric information, financial access details, and sexual orientation.
Yes. CPRA provides the “Limit the Use of My Sensitive Personal Information” right, which restricts certain processing activities.
Yes. Businesses must apply minimization, purpose limitation, and security measures that reflect the elevated sensitivity of sensitive personal information.
Yes. When it identifies a consumer’s exact location, it qualifies as sensitive personal information.
No, unless it reveals sensitive characteristics or is derived from sensitive personal information.
Yes. Notices must explain why sensitive personal information is collected, how it is used, and the rights available to consumers.
Processing sensitive personal information often qualifies as high risk, especially when used for automated decisions or profiling.
Yes. Businesses must ensure that sensitive personal information is retained only as long as necessary for the disclosed purpose.