June 24, 2021

Volume XI, Number 175

Advertisement

June 23, 2021

Subscribe to Latest Legal News and Analysis

June 22, 2021

Subscribe to Latest Legal News and Analysis

June 21, 2021

Subscribe to Latest Legal News and Analysis

What is Considered Sensitive Personal Information?

Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not expressly reference “sensitive” categories of personal information, but they functionally impart additional protections on certain categories of personal information. As a result, many data privacy attorneys colloquially refer to the fields as “sensitive” or “special.” For example, while the CCPA did not use the term “sensitive personal information” it imparted upon data subjects enhanced protections for specific data types (e.g., Social Security Number, Driver’s License Number) in the event of a data breach; this caused many privacy attorneys and privacy advocates to informally refer to those data types as being sensitive. The CPRA did use the term “sensitive personal information” which functionally created a second category of data types that received special status (albeit one that largely overlapped with the earlier category of data types).

It is worth noting that some privacy frameworks, such as the NIST Privacy Framework, do not define, or refer to, sensitive personal information. Other privacy frameworks, such as ISO 27701 and 29100, define the term generally (and circuitously) as any category of personal information “whose nature is sensitive” or that might have a significant impact on a data subject.

The following provides a side-by-side comparison of how some of the main data privacy statutes define the term:

Data Field

GDPR

CCPA / CPRA

De Facto Sensitive As Given Enhanced Litigation Rights1

CPRA

Defined as Sensitive Personal Information2

VCDPA3

Biometric data

(only if used to uniquely identify a data subject)

(only in combination with name)

(only if used to uniquely identify a data subject)

(only if used to uniquely identify a data subject)

Child-collected data

 

 

 

Citizenship

 

 

 

Contents of consumer’s email

 

 

 

Contents of consumer’s mail

 

 

 

Contents of consumer’s SMS texts

 

 

 

Credit card number (with required security code or password)

 

(only in combination with name)

 

Debit card number (with required security code or password)

 

(only in combination with name)

 

Driver’s License Number

 

(only in combination with name)

 

Ethnic origin

 

Financial account number (which permits access to the account)

 

(only in combination with name)

 

Genetic data

(only if used to uniquely identify a data subject)

 

(only if used to uniquely identify a data subject)

Health information

 

 

 

Health insurance information

 

(only in combination with name)

 

 

Immigration Status

 

 

 

Medical or health information

(only in combination with name)

 

(mental or physical diagnosis)

Military identification number

 

(only in combination with name)

 

 

Other unique identification number issued on a government document used to verify identity

 

(only in combination with name)

 

 

Passport number

 

(only in combination with name)

 

Philosophical beliefs

 

 

Political opinion

 

 

 

Precise geolocation

 

 

Racial origin

 

Religious beliefs

 

Sex life

 

 

Sexual orientation

 

Social Security Number

 

(only in combination with name)

 

Tax identification number

 

(only in combination with name)

 

 

Trade union membership

 

 

Username and password that would permit access to an online account.

 

[1]

 

1 Cal. Civ. Code 1798.150(a)(1) (West 2021) (incorporating by reference data fields referred to in Cal. Civ. Code 1798.81.5(d)(1)(A).

2 Cal. Civ. Code 1798.140(ae)(1), (2) (West 2021).

3 Va. Code 59.1-571.

[1] The CPRA refers to a “consumer’s account log-in” in combination with any required security or access code, password, or credentials allowing access to an account. Cal. Civ. Code § 1798.140(ae)(1)(B) (West 2021).

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 134
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement