Iubenda logo
Start generating


Table of Contents

Sensitive Personal Information: US States Comparison

Any information that can be used to identify an individual is considered personal information. In the majority of privacy legislation, sensitive personal information is regarded as a special type of personal data. This type of data is particularly delicate since there may be a higher chance that the person it refers to could face discrimination.

👀 We had an in-depth look into how you can handle sensitive data and more under the CPRA and the VCDPA regulations. 

Click here to see how you can manage Sensitive Personal Information →

🔎 The chart below provides a more detailed look at how the different US States specifically define Sensitive Personal Information 👇

Personal information that reveals: Citizenship data

Social security, driver’s license, state Identification card, or passport number

Citizenship or immigration status

Citizenship or citizenship status

Citizenship or immigration status

Citizenship or immigration status

Personal information that reveals: Account details

Account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.*

Personal information that reveals: Location

Precise geolocation

Precise geolocation data

Precise geolocation data

Specific geolocation data

Personal information that reveals: Origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Racial or ethnic origin

Personal information that reveals: Beliefs

Religious or philosophical beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Religious beliefs

Personal information that reveals: Union Membership

Union membership

Personal information that reveals: Health


Mental or physical health diagnosis

Mental or physical health condition or diagnosis

Mental or physical health condition or diagnosis

Individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional

Personal information that reveals: Sex

Sex life or sexual orientation

Sexual orientation

Sex life or sexual orientation

Sex life or sexual orientation

Sexual orientation

Personal information that reveals: Email or SMS content of consumer

The contents of a consumer’s email, and text messages; unless the business is the intended recipient of the communication.

Personal information that reveals: Genetic/biometric data

Genetic data and biometric information, for the purpose of uniquely identifying a consumer.

Genetic or biometric data for the purpose of uniquely identifying a natural person

Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual

Genetic or biometric data for the purpose of uniquely identifying an individual

Genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual

Personal information that reveals: Information regarding minors

The personal data collected from a known child

Personal data from a known child

Personal data collected from a known child

* Please note that under the CPRA, consumers’ account log-in, password or credentials are considered sensitive personal information. When processing this kind of information for purposes other than those mentioned in Sec. 1798.121., subdivision (a) of the Civil Code, you are required to inform of and allow consumers to exercise the right to limit the use or disclosure of their sensitive personal information to those purposes. The exceptions include but are not limited to, processing for the purpose of performing services or providing goods requested by a consumer or for purposes that do not infer characteristics about the consumer. Please verify whether your sensitive personal information processing activities fall within the scope of such exceptions.

Also note that similar exceptions also apply to the other laws including the VCDPA, CPA, CTDPA, and UCPA. However, there’s a slight difference:

  • For the CPRA, the exceptions refer to the processing of sensitive personal information exclusively;
  • Under the other US state laws, exceptions apply to the processing of any type of personal information.

In other words, this means that whenever controllers process personal data in order to perform one of the activities that constitute an exception on the list, they don’t have the follow the applicable legal requirements.

  • complying with federal, state, or local laws, rules, or regulations;
  • complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • conducting internal research to improve, repair, or develop products, services, or technology;
  • performing internal operations that the consumer could expect, based on their existing relationship with the controller;
  • providing a product or service specifically requested by a consumer, performing a contract with a consumer, or prior to entering into a contract;
  • protecting the vital interests of the consumer or of another individual;
  • preventing, detecting, protecting against, or responding to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity;
  • preserving the integrity or security of systems; or investigating, reporting, or prosecuting those responsible for any such action.

How can iubenda help manage Sensitive Personal Information? 

It goes without saying that Sensitive Personal Information must be handled carefully and is typically subject to additional processing requirements. 

👋 Did you know that generating a Privacy Policy with iubenda will automatically connect with our Privacy Controls and Cookie Solution

What does this mean?

Once you’ve set up your Privacy Policy our solution will “detect” if any Sensitive Personal Information has been declared and configure your Privacy Controls and Cookie Solution accordingly. 

Within the Privacy and Cookie Policy Generator select “Enable disclosures for users residing in the United States” to activate the new US-specific clauses. 

🚀 Better yet? Our Privacy Policy Generator provides US custom options. 

If particular Personal Information is also considered Sensitive Personal Information under one of the US legislation, it will automatically be displayed in the relevant section of your privacy policy. 

Make sure you enable “US State Laws” within the Privacy Controls and Cookie Solution: the solution will auto-configure to help you meet the new US requirements. 

⚠️ Please note: our solution currently supports three sensitive personal information categories (more will follow soon). If you have declared categories other than these three in your Privacy Policy, it is not currently possible to manage them through the Privacy Controls and Cookie Solution.

As always iubenda will keep you informed of any updates, we’ll let you know as soon as more categories are available so that you can adjust your configuration accordingly.

Not generated a Privacy Policy with us, or simply want to customize things yourself? 

Within Privacy Controls and Cookie Solution generator simply enable the US State Laws option and the support to manage consent for Sensitive Personal Information (if applicable). 

To do this, make sure you toggle on US State Laws and click on the Edit button. 

Next, click on Manual configuration and select Ask users to consent to the processing of their sensitive personal information. 

🚀 It’s the perfect time to highlight that iubenda is one of the few providers that offers compatibility with both GPC signals and the IAB Global Privacy Platform (GPP). Our systems automatically detect and honor the GPC signal, streamlining opt-out requests and eliminating the need for script tagging within our Privacy Controls and Cookie Solution.

From here you can manage the consent for Sensitive Personal Information.

Once you’re done editing click on the back button and we’ll automatically save your preferences. Now all that’s left is to finish your set-up by clicking Confirm and Proceed. 

Finally, click on Complete the Configuration and you’ll be taken to the embedding instructions! 

🎉 Congratulations, you’re set up to meet US requirements! So, what’s next? 

Embedding our solutions is easy, check out some of our specific and detailed guides that walk you through, them step-by-step.