Iubenda logo
Start generating

Documentation

Table of Contents

What Is Considered Sensitive Personal Information?

Personal information is any data that can be used to identify an individual. Sensitive personal information, on the other hand, is considered as a special category of personal data under most data privacy laws. It is particularly delicate, as it may involve an increased risk of discrimination for the individual it refers to.

Due to its nature, sensitive personal information must be handled with caution and is usually subject to specific processing conditions. 👀 Keep reading for some examples of sensitive personal information.

sensitive personal information

🇪🇺 What is Sensitive Personal Information under Europe’s Privacy Laws

🔍 The EU’s General Data Protection Regulation (GDPR)

The world’s strongest privacy law to date, the GDPR, defines sensitive data in Article 9 under “special categories of personal data”, as:

  • racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
  • genetic and biometric data, data concerning health or a natural person’s sex life or sexual orientation.

🔍 The UK’s Data Protection Act 2018

The DPA 2018 sets out the framework for data protection law in the UK. According to the ICO, it sits alongside and supplements the UK GDPR. Its definition of special category data is the same as the GDPR (listed above).

🇺🇸 What is Sensitive Personal Information under US Privacy Laws

💡 Did you know?

New privacy laws have been recently introduced across the United States. Most of them have made protecting sensitive personal information essential.

👉 As a business, this is important news for you to be extra cautious when handling this type of data.

🔍 The California Privacy Rights Act (CPRA)

The CPRA (effective in 2023) is an amendment to the CCPA (effective in 2020), which was initially created in order to regulate the sale and collection of consumers’ personal information in California.

Amongst other things, a new category of protected data was introduced by the CPRA, called sensitive personal information (SPI). This idea is similar to the GDPR’s special categories mentioned above, and asks for a higher level of protection.

👉 Check out our dedicated section on SPI in our CPRA guide for more detail.

🔍 The Virginia Consumer Data Protection Act (VCDPA)

The VCDPA (effective January 1, 2023) is the new privacy law in the Commonwealth of Virginia that states that a business cannot process sensitive data concerning a consumer, without obtaining the consumer’s prior consent (opt-in).

It defines sensitive data as a category of personal data that includes:

  • personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  • the processing of genetic or biometric data for the purpose of uniquely identifying a natural person
  • the personal data collected from a known child
  • precise geolocation data.

🔍 The Colorado Privacy Act (CPA)

The Colorado Privacy Act (effective July 1, 2023) governs the processing of personal and sensitive data in the State of Colorado. Like in Virginia, consent (opt-in) is required before processing any sensitive data and controllers are required to conduct data protection assessments.

The definition of sensitive data under the CPA is very similar to the VCDPA one:

  • personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship, or citizenship status
  • genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
  • personal data from a known child.

🇦🇺 What is Sensitive Personal Information under Australia Privacy Laws

🔍 The Australian Privacy Act 1988 and Principles

Once again, the definition of sensitive information in the Australian Privacy Act is in line with the ones above and refers to data that requires a higher level of privacy protection. It includes, among others, information or an opinion about an individual’s:

  • racial or ethnic origin
  • political opinions or membership of a political association
  • religious or philosophical beliefs
  • trade union membership
  • sexual orientation or practices
  • criminal record
  • health or genetic information
  • certain biometric information.

💡 Want to know more about Australia’s privacy news? Read our article about Australia’s incoming data privacy bill.

You handle sensitive personal information?

Make sure to display the required notice on your website and to request consent, when needed.

Generate your US and GDPR-compliant consent banner!

See also