When did you last think about what your website actually collects? Even small and medium businesses need to ask themselves this question.
Not just the usual email addresses and names. Think a little deeper. Does your contact form ask about a health condition or a legal situation? Does your site let users book appointments and describe their symptoms? Do the analytics tools you’ve installed log which health or legal topics your users search for, or track which sensitive content they click on?
If any of those sound familiar, you’re likely handling what the law calls sensitive personal data. And if you haven’t thought much about it, you’re not alone. Many website owners and founders don’t realize they’re processing it at all.
This piece is not a legal deep dive. A clear-eyed look at what sensitive data actually is, why it carries a different level of risk, what the law asks of you, and why all of this matters more than ever in the age of AI.
What is sensitive data?
Not all personal data is equal. A name and email address are personal data. Sensitive data is a specific category that sits higher on the risk scale because, if exposed or misused, it can lead to discrimination, harm, or serious violations of a person’s privacy.
Under the General Data Protection Regulation (GDPR), sensitive data is called “special categories of personal data” and defined in Article 9. It includes:
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs,
- trade union membership,
- genetic data,
- biometric data (i.e. fingerprints, face recognition, DNA, etc.),
- data concerning health,
- data concerning a natural person’s sex life or sexual orientation.
The reason these categories receive extra protection is straightforward: the consequences of exposing them extend beyond leaking someone’s email.
Examples:
– A health record exposed in a breach could affect someone’s employment or insurance coverage.
– Biometric data, once stolen, can’t be changed the way a password can.
The law recognizes this. And so should every business that collects it.
You might be handling it without realizing it
Here’s the part that catches a lot of website owners off guard.
Sensitive data often enters your systems through channels that aren’t obviously sensitive:
- A booking form for a therapy practice, a nutritionist, or a legal service almost certainly collects sensitive data by default.
- A comment section on a health or lifestyle website might contain personal disclosures from users who don’t think they are submitting sensitive data.
- A job application form that asks about disabilities or accommodation needs crosses into protected territory.
Third-party tools add another layer. The analytics plugins, chatbots, form builders, and marketing integrations you’ve added to your site may collect or infer sensitive attributes about your users.
So the first question here is whether you actually need to collect and handle this sensitive data.
Organizations should collect and process sensitive data only if they are really necessary to their activity. This concept, called data minimization, is a legal principle under the GDPR. If you do need it, make sure to be aware of the obligations that follow.
Breaches and exposure: two risks, one standard
When most people think about data risk, they picture a cyberattack. A sophisticated hacker breaking into a server, stealing thousands of records. That happens. But a large share of sensitive data incidents have a far more mundane cause.
Sensitive data exposure is the unintentional disclosure of protected information. Not a deliberate attack, but an open door:
- weak or absent encryption on a form submission,
- a misconfigured database that makes records publicly accessible,
- a support email sent to the wrong recipient,
- a third-party plugin that stores user data insecurely.
It can also happen when a team member uploads a customer file to a personal cloud storage account or pastes sensitive information into an AI tool without thinking about where that data ends up.
Data protection authorities treat both deliberate breaches and unintentional exposures similarly with respect to accountability. What counts is whether you had the right safeguards in place, not whether the incident was malicious.
What’s actually at stake
One of the most common assumptions among small and medium businesses is: we’re too small to be a target. The data says otherwise.
Research from Proton’s breach observatory shows that 71% of all data breaches target businesses with fewer than 250 employees. Companies with under 10 employees account for 23% of all breaches. Smaller organizations generally have fewer resources and fewer lines of defense.
The financial consequences aren’t abstract. According to IBM’s Cost of a Data Breach Report, the global average cost of a data breach is USD 4.44 million.
Data breaches are not just financial hits but existential threats to business continuity. 86% of businesses experienced operational disruption following a breach and most (65%) report they haven’t fully recovered. Customer personally identifiable information (PII) was the most stolen or compromised data type in 53% of all breaches.
One insight from IBM’s research gives a quick reality-check: “On a long enough timeline, data breaches are inevitable. They happen despite strong preventative measures.” What’s important for you if an incident happens is whether you’ll be in a position to respond, recover, and remain accountable when you do.
What the law requires
Sensitive data under the GDPR
The GDPR sets a high bar for processing special categories of data, especially when done at a large scale. Here’s what that looks like in practice:
| Requirement | Description |
|---|---|
| Explicit consent (usually through your cookie banner or at point of collection, e.g., a form) | Users must give explicit, informed, opt-in consent before you process their sensitive data. That means a clear, specific ask at the point of collection, not a pre-checked box buried in your terms. If your website collects sensitive data through a form, the consent on that form needs to match. |
| A privacy policy that discloses what you collect | If your website processes sensitive data, your privacy policy must say so explicitly. That means listing which special categories you collect, why you collect them, the legal basis for processing, and how long you keep them. |
| Data Protection Officer (DPO) | If your core activities involve large-scale processing of sensitive data, regulations require you to appoint a DPO under Article 37. |
| Data Protection Impact Assessment (DPIA) | Before processing sensitive data at scale, or when introducing new technologies, carry out a DPIA to identify and minimize risks. If you’re unsure whether your processing qualifies as high-risk, the safer move is to run one anyway. It’s both a legal safeguard and a practical way to spot problems before they become costly ones. |
| Records of processing activities | Keep full, up-to-date records of what you collect, why, and how you protect it. If a regulator comes asking, you need to be able to show you had actual safeguards in place. |
| Privacy by design | Build data protection into your website before you start collecting, not as an afterthought. Encryption on form submissions, access controls on your database, and clear staff guidance on data handling are all part of what the regulation expects. |
Sensitive personal information under US privacy laws
The United States doesn’t have a single federal privacy law. California’s California Privacy Rights Act (CPRA) introduced a dedicated “sensitive personal information” category with meaningful obligations attached. If your website handles sensitive personal information, you must:
- add a “Limit the Use of My Sensitive Personal Information” link directly on the site,
- make a Notice at Collection available at or before the point of data collection (at the form level, not just in your privacy policy),
- give users accessible controls to exercise their rights.
The CPRA requires prior opt-in consent before you process sensitive data. That’s a stronger position than the opt-out model that governs most other data categories under US law.
Several other states, including Virginia, Minnesota, and Tennessee, have followed with their own definitions and consent requirements. Learn more about state-level regulation requirements.
AI is raising the stakes
Everything above describes how sensitive data has always needed to be handled.
Recently, AI has added a new layer of exposure that most businesses haven’t fully accounted for yet, like making AI available to their employees in high-risk scenarios where they could expose sensitive customer data.
The European Data Protection Board (EDPB) published a dedicated report on AI privacy risks in April 2025. The risks it identified are concrete:
- AI models can memorize and reproduce sensitive data from their training sets.
- Operators often log interactions containing sensitive information.
- Inference attacks can reconstruct personal attributes from inputs that seem completely neutral.
“Organizations are skipping over security and governance for AI in favor of do-it-now AI adoption.” The result is what’s known as shadow AI: employees using AI applications outside any company oversight. And the risks are high when sensitive data is involved, with no controls and no accountability.
The IBM study states that among organizations that reported an AI-related breach, 97% lacked proper AI access controls. The speed of the threat has shifted, too. As IBM’s researchers put it: “Today, many attackers are logging in rather than hacking in.” They’re not breaking through your defenses. They’re walking through a door someone left open. “Data is the fuel for AI, and because of that, it’s a prime target for attackers.”
Questions worth sitting with
Privacy and data protection are not static goals but ongoing commitments. That means this isn’t a one-time box to check when you launch your site.
A few honest questions to start with:
- Do you know what sensitive data your website actually collects? Take the sensitive data definition that we’ve seen above, go through your forms, your plugins… You may be collecting more than you intend to.
- Do you actually need to collect this data in the first place? Before thinking about how to protect sensitive data, ask whether you need it. If you can’t clearly explain why a specific piece of sensitive information is necessary for your service, don’t collect it. Every data point you don’t collect is a risk you don’t carry.
- Is your consent set up correctly at the form level? If a form on your site collects sensitive data, a standard cookie notice isn’t enough. You need explicit, informed, opt-in consent at the point of collection.
- Do you have a DPIA on file? If your site processes special categories of data, a DPIA is likely required under the GDPR. It’s also one of the clearest ways to show accountability if questions arise.
- Does your team have a policy for AI tools? 63% of breached organizations either lacked an AI governance policy or were still developing one at the time of their breach (IBM study). If your team uses AI tools to handle company or customer data, you need clarity on what flows in and under what conditions.
Where to go from here
Handling sensitive data is typically a niche concern for large enterprises or companies in sectors like healthcare. In reality, all website owners should look into it.
The rules exist because the harm is real. The GDPR’s special categories framework and the growing body of US state privacy law aren’t bureaucratic overreach. They reflect the fact that sensitive data, when mishandled, causes genuine and sometimes irreversible damage.
Know what your website collects. Build your legal basis before you collect it. Put the right safeguards in place. And when the laws evolve, make sure your setup does too.
iubenda’s set of digital compliance tools can help you do exactly that: build a privacy setup that communicates and reflects your actual data practices, meet your consent obligations, and keep things aligned as regulations change.