Any information that can be used to identify an individual is considered personal information. In the majority of privacy legislation, sensitive personal information is regarded as a special type of personal data. This type of data is particularly delicate since there may be a higher chance that the person it refers to could face discrimination.
👀 We had an in-depth look into how you can handle sensitive data and more under the CPRA and the VCDPA regulations.
Click here to see how you can manage Sensitive Personal Information →
🔎 The chart below provides a more detailed look at how the different US States specifically define Sensitive Personal Information 👇
| Personal information that reveals: Citizenship data |
Social security, driver’s license, state Identification card, or passport number |
Citizenship or immigration status |
Citizenship or citizenship status |
Citizenship or immigration status |
Citizenship or immigration status |
| Personal information that reveals: Account details |
Account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.* |
❌ |
❌ |
❌ |
❌ |
| Personal information that reveals: Location |
Precise geolocation |
Precise geolocation data |
❌ |
Precise geolocation data |
Specific geolocation data |
| Personal information that reveals: Origin |
Racial or ethnic origin |
Racial or ethnic origin |
Racial or ethnic origin |
Racial or ethnic origin |
Racial or ethnic origin |
| Personal information that reveals: Beliefs |
Religious or philosophical beliefs |
Religious beliefs |
Religious beliefs |
Religious beliefs |
Religious beliefs |
| Personal information that reveals: Union Membership |
Union membership |
❌ |
❌ |
❌ |
❌ |
| Personal information that reveals: Health |
Health |
Mental or physical health diagnosis |
Mental or physical health condition or diagnosis |
Mental or physical health condition or diagnosis |
Individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional |
| Personal information that reveals: Sex |
Sex life or sexual orientation |
Sexual orientation |
Sex life or sexual orientation |
Sex life or sexual orientation |
Sexual orientation |
| Personal information that reveals: Email or SMS content of consumer |
The contents of a consumer’s email, and text messages; unless the business is the intended recipient of the communication. |
❌ |
❌ |
❌ |
❌ |
| Personal information that reveals: Genetic/biometric data |
Genetic data and biometric information, for the purpose of uniquely identifying a consumer. |
Genetic or biometric data for the purpose of uniquely identifying a natural person |
Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual |
Genetic or biometric data for the purpose of uniquely identifying an individual |
Genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual |
| Personal information that reveals: Information regarding minors |
❌ |
The personal data collected from a known child |
Personal data from a known child |
Personal data collected from a known child |
❌ |
* Please note that under the CPRA, consumers’ account log-in, password or credentials are considered sensitive personal information. When processing this kind of information for purposes other than those mentioned in Sec. 1798.121., subdivision (a) of the Civil Code, you are required to inform of and allow consumers to exercise the right to limit the use or disclosure of their sensitive personal information to those purposes. The exceptions include but are not limited to, processing for the purpose of performing services or providing goods requested by a consumer or for purposes that do not infer characteristics about the consumer. Please verify whether your sensitive personal information processing activities fall within the scope of such exceptions.
Also note that similar exceptions also apply to the other laws including the VCDPA, CPA, CTDPA, and UCPA. However, there’s a slight difference:
In other words, this means that whenever controllers process personal data in order to perform one of the activities that constitute an exception on the list, they don’t have the follow the applicable legal requirements.
It goes without saying that Sensitive Personal Information must be handled carefully and is typically subject to additional processing requirements.
👋 Did you know that generating a Privacy Policy with iubenda will automatically connect with our Privacy Controls and Cookie Solution?
What does this mean?
Once you’ve set up your Privacy Policy our solution will “detect” if any Sensitive Personal Information has been declared and configure your Privacy Controls and Cookie Solution accordingly.
Within the Privacy and Cookie Policy Generator select “Enable disclosures for users residing in the United States” to activate the new US-specific clauses.
🚀 Better yet? Our Privacy Policy Generator provides US custom options.
If particular Personal Information is also considered Sensitive Personal Information under one of the US legislation, it will automatically be displayed in the relevant section of your privacy policy.
Make sure you enable “US State Laws” within the Privacy Controls and Cookie Solution: the solution will auto-configure to help you meet the new US requirements.
⚠️ Please note: our solution supports only precise geolocation as sensitive personal information category, as it is that connected to browsing and navigation. If you have declared categories other than precise geolocation in your Privacy Policy, it will not be possible to manage the related choice mechanism through your Privacy Controls and Cookie Solution.
Not generated a Privacy Policy with us, or simply want to customize things yourself?
Within Privacy Controls and Cookie Solution generator simply enable the US State Laws option and the support to manage consent for the processing of users’ precise geolocation data (if applicable).
To do this, make sure you toggle on US State Laws and click on the Edit button.
Next, click on Manual configuration. From here you can manage the consent for the processing of precise geolocation data.
🚀 It’s the perfect time to highlight that iubenda is one of the few providers that offers compatibility with both GPC signals and the IAB Global Privacy Platform (GPP). Our systems automatically detect and honor the GPC signal, streamlining opt-out requests and eliminating the need for script tagging within our Privacy Controls and Cookie Solution.
Once you’re done editing click on the back button and we’ll automatically save your preferences. Now all that’s left is to finish your set-up by clicking Confirm and Proceed.
Finally, click on Complete the Configuration and you’ll be taken to the embedding instructions!
🎉 Congratulations, you’re set up to meet US requirements! So, what’s next?
Embedding our solutions is easy, check out some of our specific and detailed guides that walk you through, them step-by-step.
