Processing Sensitive Personal Information under U.S. State Privacy Laws
As of now, nine states (CA, CO, CT, IA, IN, MT, TN, UT, and VA) have passed comprehensive privacy laws that are in effect (CA and VA), or are about to go into effect sometime soon (CO, CT, IA, IN, MT, TN, and UT). If any of these laws apply to your business, it is important to note that each impose special requirements when it comes to processing what they respectively treat as sensitive personal information (also referred to as “sensitive data”, a type of “personal data” under some laws). These nine states have adopted three different approaches to processing sensitive personal information (“SPI”).
What is sensitive personal information?
The answer depends on which state privacy law applies. As the table below illustrates, while certain types of personal information are considered sensitive in all states, the California Consumer Privacy Act (CCPA), as amended, has a broader definition of SPI than the other states. In addition to the data types noted in the chart below, the CCPA’s definition of SPI also includes the following: account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, contents of a consumer’s communications where the business is not the recipient, government ID Information (e.g., social security, driver’s license, state ID, or passport number), philosophical beliefs, and union membership.
CLICK IMAGE TO VIEW LARGER
California Residents Have the Right to Limit the Use of SPI
The Section 7027(m) permitted purposes, for which there is no right to limit, include when a business is processing sensitive personal information:
to provide goods/services reasonably expected by a requesting consumer (e.g., processing location to provide navigation features), or
the processing is not done to infer characteristics about a consumer (e.g., providing a search engine of medical conditions).
If the business’s use of a CA Consumer’s SPI falls outside of the Section 7027(m) permitted purposes, CA Consumers have a right to limit the use of their SPI. A business must advise CA Consumers of their right to limit, and offer at least two methods, to submit a request to limit, one of which must reflect the manner in which the business primarily interacts with the individual. If a business collects SPI online, it must post either a “Limit the Use of My Sensitive Personal Information” link or a valid alternative opt-out link in the website footer.
A business that receives a request to limit must, as soon as feasible, but no later than 15 business days after receiving the request, take the following steps:
Stop all use and disclosure of SPI for any unpermitted purposes (those not listed in 7027(m));
Notify all service providers that process SPI for unpermitted purposes on your behalf to comply with the request to limit; and
Notify all third parties to whom you disclosed the SPI for unpermitted purposes of the request and direct them to: (a) comply with the request; and (b) forward the request to any other person with whom the third party has disclosed the SPI.
If a CA Consumer has limited the use of their SPI, a business cannot ask them to consent to the use for unpermitted purposes for at least 12 months after receiving their request to limit.
Six States Require Data Protection Assessments and Opt-in Consent Before Processing SPI
Colorado, Connecticut, Indiana, Montana, Tennessee, and Virginia each require a controller to perform a data protection assessmentAND obtain valid opt-in consent of the individual (or, in the case of a child, their parent or guardian) that is a resident of those states BEFORE processing SPI.
Each of these laws adopt a similar definition of consent, meaning a clear affirmative act signifying an individual’s freely given, specific, informed, and unambiguous agreement.
The Colorado, Connecticut, and Montana definitions make clear that following actions do not constitute valid consent:
Acceptance of general or broad terms containing descriptions of data processing and other unrelated terms
Hovering over, muting, pausing, or closing a piece of content
Agreement obtained through dark patterns (an interface that impairs user autonomy, decision-making, or choice)
The Colorado Privacy Act (CPA) Rules provide additional clarity on what constitutes valid consent. Parsing the definition, Rule 7.03 appears to see valid consent as requiring the following five characteristics:
Clear affirmative action, meaning clear conduct or statements indicating acceptance.
Freely given, meaning it can be refused or revoked at any time without penalty.
Specific, meaning consent for unrelated purposes must be separately given.
Informed, meaning the individual was provided a clear notice containing certain information regarding the requested consent. 
Unambiguous agreement, meaning it was not obtained through the use a dark pattern
Furthermore, if a consumer withdraws their consent, Colorado requires the controller to either delete SPI or render it permanently anonymized or inaccessible in a reasonable amount after such a withdrawal.
Lastly, Colorado has special rules regarding the processing of processing of “sensitive data inferences,” which are inferences made by the controller from personal data that are used to indicate race, ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status.
Two States Require the Consumer Be Provided a Clear Notice and the Right to Opt Out
In Iowa and Utah, a controller CANNOT process an Iowa or Utah resident’s SPI without first presenting them with a clear notice and opportunity to opt out of such processing.
Lastly, remember, just because you’ve complied with comprehensive state privacy laws does not mean you’re in the clear to process SPI.
There are numerous other federal, state, and local laws that may apply to processing of specific types of SPI. For example, there are many laws concerning genetic data. Illinois, Washington, and Texas each have laws concerning biometric data; New York City does too. Washington has a law concerning personal health data.
Thus, it is important to always confirm and understand all the various requirements of laws applicable to the SPI being processed.
 Ca. Civil Code § 1798.140(ae).
 Colo. Rev. Stat. § 6-1-1303(24).
 Conn. Gen. Stat. § 42-515(27).
 Iowa Code § 715D.1(26).
 Ind. Code § 24-15-2-28.
MCDPA § 2(24).
 Tenn. Code § 47-18-3201(26).
 Utah Code § 13-61-101(32).
 Va. Code § 59.1-575.
 Utah Code § 13-61-101(b)(i); however, the law exempts processing by a video communication service.
 In CA, this is defined as information concerning a consumer’s health. In CO, CT and MT, this is defined as mental or physical health condition or diagnosis. In IA, TN, and VA, this is defined as mental or physical health diagnosis. In IN, this is defined as mental or physical health diagnosis made by a health care provider. In UT, this is defined as medical history, mental or physical health condition, or medical treatment or diagnosis, however, it is subject to exceptions for processing by certain licensed health care professionals. Utah Code § 13-61-101(b)(ii).
See Ca. Civil Code § 1798.140(c).
See 4 Colo. Code Regs. § 904-3-2.02.
See Conn. Gen. Stat. § 42-515(3).
See Iowa Code § 715D.1(4).
See Ind. Code § 24-15-2-4.
See MCDPA § (2)3.
See Tenn. Code § 47-18-3201(3).
See Utah Code § 13-61-101(6).
See Va. Code § 59.1-575.
See Ca. Civil Code § 1798.140(w).
See Conn. Gen. Stat. § 42-525(19).
See Iowa Code § 715D.1(19).
See Ind. Code § 24-15-2-20.
See MCDPA § 2(16).
See Tenn. Code § 47-18-3201(18).
See Utah Code § 13-61-101(33).
See Va. Code § 59.1-575.
 There are specific requirements for processing personal information of those younger than 16 years old. See Cal. Code Regs. tit. 11, §§ 7070–7072.
 In Colorado, a child is anyone less than 13 years old. Colo. Rev. Stat. § 6-1-1303(4).
 CT adopts the definition of child under the federal Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. § 6501 et seq) (currently, anyone less than 13 years old). Conn. Gen. Stat. § 42-515(5).
 In Iowa, a child is anyone less than 13 years old. Iowa Code § 715D.1(5).
 In Indiana, a child is anyone less than 13 years old. Ind. Code § 24-15-2-6.
 In Montana, a child is anyone less than 13 years old. MCDPA § 2(4).
 In Tennessee, a child is anyone less than 13 years old. Tenn. Code § 47-18-3201(5).
 In Utah, a child is anyone less than 13 years old. Utah Code § 13-61-101(8).
 In Virginia, a child is anyone less than 13 years old. Va. Code § 59.1-575.
See Cal. Civil Code § 1798.121 (granting the right to limit); Cal. Code Regs. tit. 11, § 7027(a).
See Cal. Code Regs. tit. 11, § 7027(b).
Id. § 7027(b)(1); see also id. § 7015 (outlining the requirement for a valid alternative opt-out link).
Id. § 7027(g).
Id. § 7027(l).
See Colo. Rev. Stat. § 6-1-1309(2)(c); Conn. Gen. Stat. § 42-522(2)(a)(4); Ind. Code § 24-15-6-1(b)(4); Tenn. Code § 47-18-3206(a)(4); MCDPA § 9(1)(d); Va. Code § 59.1-580(A)(4) (each requiring controllers to perform data protection assessments when processing sensitive data); see also 4 Colo. Code Regs. § 904-3-8 (providing additional requirements for conducting assessments under CO law).
See Colo Rev. Stat. § 6-1-1308(7); Conn. Gen. Stat. § 42-520(a)(4); Ind. Code § 24-15-4-1(5); MCDPA § 7(2)(b); Tenn. Code § 47-18-3204(a)(6); Va. Code § 59.1-578(A)(5) (each requiring opt-in consent).
See Colo. Rev. Stat. § 6-1-1303(5); Conn. Gen. Stat. § 42-515(6); Ind. Code § 24-15-2-7; MCDPA § 2(5); Tenn. Code § 47-18-3201(6); Va. Code § 59.1-575 (each defining consent).
 4 Colo. Code Regs. § 904-3.
Id. § 904-3-7.03(B)
Id. § 904-3-7.03(C)
Id. § 904-3-7.03(D)
Id. § 904-3-7.03(E)
Id. § 904-3-7.03(F); see also, id. § 904-3-7.09 (providing rules regarding dark patterns).
Id. § 904-3-6.07(B)(3).
See 4 Colo. Code Regs. § 904-3-2.02 (defining sensitive data inferences). The opt-in consent requirement for consumers over the age of 13 does not apply to sensitive data inferences, if: (i) the processing purpose of such data is obvious to a reasonable consumer based on the context of collection and use of the data and the relationship between the controller and consumer; (ii) such inferences are permanently deleted within 24 hours of collection or completion of the processing activity (whichever is first); (iii) the inferences are not transferred, sold, or shared with processors, third parties, or affiliates; and (iv) the personal data and inferences are not processed for any purpose other than the express purpose disclosed to the consumer. 4 Colo Regs. § 904-3-6.10(B).
See Iowa Code § 715D.4(2); Utah Code § 13-61-302(3)(a).
 Iowa Code § 715D.4(2); Utah Code § 13-61-302(3)(a).
Compare Iowa Code § 715D.4(2) and Utah Code § 13-61-302(3)(a) (each describing the SPI notice), with Iowa Code § 715D.4(5) and Utah Code § 13-61-302(1) (each describing the general privacy notice).
See, e.g., Cal. Civil Code §§ 56.18 et seq.; Ariz. Rev. Stat. § 20-448.02; Genetic Information Nondiscrimination Act of 2008 (Pub. L. 110-233) 122. Stat. 881.
See 740 ILCS §§ 14/1 et seq.; Wash. Rev. Code §§ 18.375.010 et seq.; Tex. Bus. & Com. Code § 503.001; NYC Admin. Code §§ 22-1201 – 1205.
See Washington My Health, My Data Act, H.B. 1155 (2023).