Personal information is any data that can be used to identify an individual. Sensitive personal information, on the other hand, is considered as a special category of personal data under most data privacy laws. It is particularly delicate, as it may involve an increased risk of discrimination for the individual it refers to.
Due to its nature, sensitive personal information must be handled with caution and is usually subject to specific processing conditions. 👀 Keep reading for some examples of sensitive personal information.
The world’s strongest privacy law to date, the GDPR, defines sensitive data in Article 9 under “special categories of personal data”, as:
The DPA 2018 sets out the framework for data protection law in the UK. According to the ICO, it sits alongside and supplements the UK GDPR. Its definition of special category data is the same as the GDPR (listed above).
💡 Did you know?
New privacy laws have been recently introduced across the United States. Most of them have made protecting sensitive personal information essential.
👉 As a business, this is important news for you to be extra cautious when handling this type of data.
The CPRA (effective in 2023) is an amendment to the CCPA (effective in 2020), which was initially created in order to regulate the sale and collection of consumers’ personal information in California.
Amongst other things, a new category of protected data was introduced by the CPRA, called sensitive personal information (SPI). This idea is similar to the GDPR’s special categories mentioned above, and asks for a higher level of protection.
👉 Check out our dedicated section on SPI in our CPRA guide for more detail.
The VCDPA (effective January 1, 2023) is the new privacy law in the Commonwealth of Virginia that states that a business cannot process sensitive data concerning a consumer, without obtaining the consumer’s prior consent (opt-in).
It defines sensitive data as a category of personal data that includes:
The Colorado Privacy Act (effective July 1, 2023) governs the processing of personal and sensitive data in the State of Colorado. Like in Virginia, consent (opt-in) is required before processing any sensitive data and controllers are required to conduct data protection assessments.
The definition of sensitive data under the CPA is very similar to the VCDPA one:
Once again, the definition of sensitive information in the Australian Privacy Act is in line with the ones above and refers to data that requires a higher level of privacy protection. It includes, among others, information or an opinion about an individual’s:
💡 Want to know more about Australia’s privacy news? Read our article about Australia’s incoming data privacy bill.