Introduction: A Two-Tier System
Modern privacy law treats personal data in two tiers: ordinary personal data, and sensitive personal data β a special category that gets heightened legal protection because its misuse can cause serious, often irreversible harm.
The distinction matters enormously. Under most U.S. state privacy laws, processing ordinary personal data (like your name and email address) requires businesses to give you the ability to opt out. But processing sensitive personal data typically requires something much stronger: your explicit, informed, opt-in consent before processing even begins.
This guide explains what sensitive personal data is, why it's treated differently, how definitions vary across different state laws, and what rights you have over your most sensitive information.
Why Some Data Is More Dangerous
The sensitivity of certain categories of data isn't arbitrary β it reflects the specific harms that exposure of this information can cause:
Health and medical data can affect your insurability, employment, relationships, and personal dignity. A data breach exposing your HIV status, mental health history, or pregnancy could lead to discrimination, job loss, or relationship damage.
Racial and ethnic origin can be used for discriminatory targeting in housing, employment, lending, and advertising β or to facilitate racially motivated harassment and violence.
Sexual orientation and gender identity remain targets of discrimination and violence in many contexts. Unauthorized exposure can be devastating β professionally, socially, and physically dangerous in some environments.
Religious beliefs can similarly expose individuals to discrimination, violence, or targeting β particularly for religious minorities.
Precise geolocation can reveal where you worship, seek medical care, attend political meetings, or spend time with intimate partners β enabling stalking, targeted harassment, or profiling by authorities.
Biometric data (fingerprints, facial recognition templates, voice prints) is uniquely dangerous because, unlike a password, it cannot be changed if compromised.
Children's data requires special protection because children cannot meaningfully consent and are particularly vulnerable to manipulation and exploitation.
How States Define Sensitive Data
While most states agree on the general categories, the exact definitions differ in important ways:
California (CPRA) defines Sensitive Personal Information (SPI) to include: Social Security/driver's license/state ID/passport numbers; account log-in credentials with security codes; precise geolocation; racial or ethnic origin; religious beliefs; union membership; contents of mail, email, or texts; genetic data; biometric information for identification; health, sex life, or sexual orientation information.
Virginia (CDPA) defines sensitive data to include: racial/ethnic origin; religious beliefs; mental/physical health diagnoses; sexual orientation; citizenship/immigration status; genetic/biometric data; children's data; and precise geolocation.
Colorado (CPA) largely mirrors Virginia but also includes financial data combined with authentication credentials.
Connecticut and most other state laws follow similar frameworks to Virginia and Colorado, with minor variations in specific data types.
A key difference: California gives you the right to limit the use of sensitive data for purposes beyond what's needed to provide the service. Most other states require opt-in consent before any sensitive data processing begins at all β which is actually a stronger protection in many ways.
Biometric Data: A Special Case
Biometric data deserves special attention because several states have enacted biometric-specific privacy laws that go beyond general privacy frameworks:
Illinois' Biometric Information Privacy Act (BIPA), passed in 2008, is the nation's toughest biometric privacy law. It requires explicit written consent before collecting fingerprints, face scans, retina scans, or voice prints. Crucially, it provides a private right of action β allowing individuals to sue companies for violations without waiting for government enforcement. BIPA has generated billions of dollars in class action settlements against Facebook (Meta), Google, Amazon, and many others.
Texas and Washington also have biometric privacy laws, though without the private right of action that makes Illinois' BIPA so powerful.
The practical stakes: your fingerprint or facial geometry cannot be changed. If a password database is breached, you change your password. If a biometric database is breached, you can never change your face β making unauthorized biometric collection a permanent risk.
Your Rights Over Sensitive Data
Depending on your state, you have some or all of the following rights over your sensitive personal data:
Right to opt-in consent (most states): Companies must obtain your explicit, informed consent before processing sensitive personal data for any purpose beyond providing the service you requested. This consent must be freely given, specific, and revocable.
Right to limit (California): Even if a business already holds your sensitive data, you can instruct them to limit its use to what's necessary to provide the service.
Right to delete: Available under all state privacy laws β you can request deletion of sensitive data a business holds about you.
Right to access and portability: You can request a copy of what sensitive data a business holds about you.
Right to non-discrimination: Exercising any of these rights cannot be used against you β no higher prices, degraded service, or denial of access.