Update for Connecticut and Utah: What Is Considered Sensitive Personal Information?
Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not expressly reference “sensitive” categories of personal information, but they functionally impart additional protections on certain categories of personal information. As a result, many data privacy attorneys colloquially refer to the fields as “sensitive” or “special.” For example, while the CCPA did not use the term “sensitive personal information,” it imparted upon data subjects enhanced protections for specific data types (e.g., Social Security Number, Driver’s License Number) in the event of a data breach which caused many privacy attorneys and privacy advocates to informally refer to those data types as being sensitive. The CPRA did use the term “sensitive personal information” which functionally created a second category of data types that received special status (albeit one that overlapped in many cases with the earlier category of data types).
It is worth noting that some privacy frameworks, such as the NIST Privacy Framework, do not define, or refer to, sensitive personal information. Other privacy frameworks, such as ISO 27701 and 29100, define the term generally (and circuitously) as any category of personal information “whose nature is sensitive” or that might have a significant impact on a data subject.