Iubenda logo
Start generating

Documentation

Table of Contents

Sensitive Personal Information: US States Comparison

Any information that can be used to identify an individual is considered personal information. In the majority of privacy legislation, sensitive personal information is regarded as a special type of personal data. This type of data is particularly delicate since there may be a higher chance that the person it refers to could face discrimination.

👀 We had an in-depth look into how you can handle sensitive data and more under the CPRA and the VCDPA regulations. 

Click here to see how you can manage Sensitive Personal Information →

🔎 The chart below provides a more detailed look at how the different US States specifically define Sensitive Personal Information 👇

Florida (Digital Bill of Rights)
Delaware (DPDPA)
New Hampshire (NHDPA)
New Jersey (NJDPA)
Tennessee (TIPA)
Nebraksa (NDPA)
Personal information that reveals: Citizenship data

Social security, driver’s license, state Identification card, or passport number

Citizenship or immigration status

Citizenship or citizenship status

Citizenship or immigration status

Citizenship or immigration status

Citizenship or immigration status

Citizenship or immigration status and status as a victim of crime

Citizenship or immigration status

Citizenship or immigration status

Citizenship or immigration status

Citizenship or immigration status

Citizenship or immigration status

Citizenship or immigration status

Citizenship or immigration status

Citizenship or immigration status

Personal information that reveals: Account details

Account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.*

Financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account

Financial information, which shall include a consumer’s account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer’s financial account

Personal information that reveals: Location

Precise geolocation

Precise geolocation data

Precise geolocation data

Specific geolocation data

Precise geolocation data

Accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates

Precise geolocation data

Precise geolocation data

Precise geolocation data

Precise geolocation data

Precise geolocation data

Precise geolocation data

Precise geolocation data

Precise geolocation data

Personal information that reveals: Origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

National origin and racial or ethnic background

Racial or ethnic origin

Racial or ethnic origin

National, racial, or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Personal information that reveals: Beliefs

Religious or philosophical beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Personal information that reveals: Union Membership

Union membership

Personal information that reveals: Health

Health

Mental or physical health diagnosis

Mental or physical health condition or diagnosis

Mental or physical health condition or diagnosis

Individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional

Mental or physical health diagnosis

Mental or physical condition or diagnosis

Mental or physical health diagnosis

Mental or physical health condition or diagnosis

Mental or physical health condition or diagnosis (including pregnancy)

Mental or physical health diagnosis

Mental or physical health condition or diagnosis

Mental or physical health condition, treatment or diagnosis

Mental or physical health diagnosis

Mental or physical health diagnosis

Personal information that reveals: Sex

Sex life or sexual orientation

Sexual orientation

Sex life or sexual orientation

Sex life or sexual orientation

Sexual orientation

Sexual orientation

Sexual orientation and status as transgender or nonbinary

Sexuality

Information about a person’s sex life, sexual orientation

Sex life, sexual orientation, and status as transgender or nonbinary

Sexual orientation

Sex life and sexual orientation

Sex life or sexual orientation and status as transgender or non-binary

Sexual orientation

Sexual orientation

Personal information that reveals: Email or SMS content of consumer

The contents of a consumer’s email, and text messages; unless the business is the intended recipient of the communication.

Personal information that reveals: Genetic/biometric data

Genetic data and biometric information, for the purpose of uniquely identifying a consumer.

Genetic or biometric data for the purpose of uniquely identifying a natural person

Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual

Genetic or biometric data for the purpose of uniquely identifying an individual

Genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual

Genetic or biometric data processed to uniquely identify an individual

Genetic or biometric data

Genetic or biometric data that is processed for the purpose of uniquely identifying an individual

Genetic or biometric data for the purpose of uniquely identifying an individual

Genetic or biometric data

Genetic or biometric data

The processing of genetic or biometric data to uniquely identify an individual

The processing of genetic or biometric data to uniquely identify an individual

Genetic or biometric data processed to uniquely identify an individual

Genetic or biometric data that is processed for the purpose of uniquely identifying an individual

Personal information that reveals: Information regarding minors

The personal data collected from a known child

Personal data from a known child

Personal data collected from a known child

Personal data of a known child (an individual under the age of 18)

A child’s personal data

Personal data collected from a known child

Personal data collected from a known child

Personal data of a known child (an individual under the age of 13

Personal data collected from a known child (any natural person younger than 13)

Personal data of a known child (an individual under the age of 13)

Personal data of a known child (an individual under the age of 13

Personal information collected from a known child (a natural person younger than 13)

Personal data of a known child (an individual under the age of 13

* Please note that under the CPRA, consumers’ account log-in, password or credentials are considered sensitive personal information. When processing this kind of information for purposes other than those mentioned in Sec. 1798.121., subdivision (a) of the Civil Code, you are required to inform of and allow consumers to exercise the right to limit the use or disclosure of their sensitive personal information to those purposes. The exceptions include but are not limited to, processing for the purpose of performing services or providing goods requested by a consumer or for purposes that do not infer characteristics about the consumer. Please verify whether your sensitive personal information processing activities fall within the scope of such exceptions.

Also note that similar exceptions also apply to the other laws including the VCDPA, CPA, CTDPA, and UCPA. However, there’s a slight difference:

  • For the CPRA, the exceptions refer to the processing of sensitive personal information exclusively;
  • Under the other US state laws, exceptions apply to the processing of any type of personal information.

In other words, this means that whenever controllers process personal data in order to perform one of the activities that constitute an exception on the list, they don’t have the follow the applicable legal requirements.

  • complying with federal, state, or local laws, rules, or regulations;
  • complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • conducting internal research to improve, repair, or develop products, services, or technology;
  • performing internal operations that the consumer could expect, based on their existing relationship with the controller;
  • providing a product or service specifically requested by a consumer, performing a contract with a consumer, or prior to entering into a contract;
  • protecting the vital interests of the consumer or of another individual;
  • preventing, detecting, protecting against, or responding to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity;
  • preserving the integrity or security of systems; or investigating, reporting, or prosecuting those responsible for any such action.

How can iubenda help manage Sensitive Personal Information? 

It goes without saying that Sensitive Personal Information must be handled carefully and is typically subject to additional processing requirements. 

👋 Did you know that generating a Privacy Policy with iubenda will automatically connect with our Privacy Controls and Cookie Solution

What does this mean?

Once you’ve set up your Privacy Policy our solution will “detect” if any Sensitive Personal Information has been declared and configure your Privacy Controls and Cookie Solution accordingly. 

Within the Privacy and Cookie Policy Generator select “Enable disclosures for users residing in the United States” to activate the new US-specific clauses. 

🚀 Better yet? Our Privacy Policy Generator provides US custom options. 

If particular Personal Information is also considered Sensitive Personal Information under one of the US legislation, it will automatically be displayed in the relevant section of your privacy policy. 

Make sure you enable “US State Laws” within the Privacy Controls and Cookie Solution: the solution will auto-configure to help you meet the new US requirements. 

⚠️ Please note: our solution supports only precise geolocation as sensitive personal information category, as it is that connected to browsing and navigation. If you have declared categories other than precise geolocation in your Privacy Policy, it will not be possible to manage the related choice mechanism through your Privacy Controls and Cookie Solution.

Not generated a Privacy Policy with us, or simply want to customize things yourself? 

Within Privacy Controls and Cookie Solution generator simply enable the US State Laws option and the support to manage consent for the processing of users’ precise geolocation data (if applicable). 

To do this, make sure you toggle on US State Laws and click on the Edit button. 

Next, click on Manual configuration. From here you can manage the consent for the processing of precise geolocation data.

🚀 It’s the perfect time to highlight that iubenda is one of the few providers that offers compatibility with both GPC signals and the IAB Global Privacy Platform (GPP). Our systems automatically detect and honor the GPC signal, streamlining opt-out requests and eliminating the need for script tagging within our Privacy Controls and Cookie Solution.

Once you’re done editing click on the back button and we’ll automatically save your preferences. Now all that’s left is to finish your set-up by clicking Confirm and Proceed. 

Finally, click on Complete the Configuration and you’ll be taken to the embedding instructions! 

🎉 Congratulations, you’re set up to meet US requirements! So, what’s next? 

Embedding our solutions is easy, check out some of our specific and detailed guides that walk you through, them step-by-step.