What’s the definition sensitive data? What are some examples? Can you process sensitive information under privacy laws, like the GDPR and the CPRA (CCPA amendment)?
In this post, we’ll answer all these questions and show you what you may need to do to collect and process sensitive personal information.

What’s the definition of sensitive data?
When we talk about sensitive data, we refer to special categories of personal information, which should be more carefully handled by the processor.
The main difference between regular personal data and sensitive data is that sensitive data could potentially lead to the user’s discrimination, if shared.
That’s because they include information such as race or ethnic origin, sexual orientation, religious beliefs, but also information about the user’s health, for instance.
International laws on data privacy may have different views on sensitive data. Anyway, there is one common ground: all the laws agree that you should collect and process sensitive data only if they are really necessary to your activity. If you do need to collect sensitive information, then you should store it securely and with the utmost care.
More on data protection
This article is a part of our series on data protection. Read also:
Some examples of sensitive personal information
Different privacy laws may have different definitions of sensitive data. Anyway, we can find some examples in Article 9 of GDPR, that can apply more broadly.
In its special categories of personal data, the GDPR includes:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (biometrics are human measurements that can lead to a person’s identification. They include things like fingerprints, face recognition, DNA, etc.);
- data concerning health;
- data concerning a natural person’s sex life or sexual orientation.
How to handle sensitive data
The collection and processing of sensitive data is generally allowed. However, you may need to apply extra layers of security when it comes to it.
Let’s have a closer look at the main legislations and their specific requirements:
GDPR (European Union)
Under the GDPR, you may only process sensitive data if the user has given explicit and informed consent, meaning that they need to clearly understand what they’re consenting to.
The processing is also allowed if the data is of vital importance in matters of public interest, social security, health, ect. If you collect and process personal data, and particularly if it’s a large scale processing, you need to appoint a Data Protection Officer (DPO) and to carry out a Data Protection Impact Assessment (DPIA).
You can learn more about GDPR requirements here.CCPA (as amended by the CPRA) & CalOPPA (California)
Even though for the CCPA (as amended by the CPRA) the category of sensitive data falls under the category of regular personal data, you may need to ask the user to opt-in when sensitive information is at stake. This is especially true when there are minors involved.
Update!
Since the CCPA did not include a definition sensitive information, it has been amended. The new California Privacy Rights Act (CPRA) will introduce sensitive personal information (SPI), which asks for a higher level of data protection.
LGPD (Brazil)
As the GDPR, the Brazilian LGPD allows the processing of personal data only if users have given their consent or if consent exceptions apply.
How does the processing of sensitive data affect my business?
If your business collects and processes sensitive data, you may need to take extra steps to make sure you’re storing them securely.
Here’s what you may need to do:
- Make sure that you absolutely need the data. A key principle of data privacy laws is data minimization – i.e. limiting your processing to only the data you truly need for your purposes. If you’ve determined that you do really need to process this data, then continue to point 2.
- Make sure that you’re able to provide the higher levels of security legally required to process this data.
- Ensure that you have a proper legal basis to process the data. Under the GDPR this may mean fully informing the user, getting explicit consent from the person, and assigning a DPO – under other laws, it may mean other things.
See which laws apply to you and make sure you’re following the rules.
How do you store sensitive data securely?
How iubenda can help
Here’s how iubenda’s solutions can greatly help when you’re processing sensitive data:
- Our Privacy and Cookie Generator makes it easy to add legally required disclosures and add information related to your assigned Data Protection Officer and much more.
- Our Register of Data Processing Activities also helps you to keep track of your processing activities and the purposes and legal bases attached to them, as legally required.
- Assigning a Data Protection Officer? Use this free Data Protection Officer (DPO) Appointment Letter (GDPR Template)
About us
The solution to generate your Privacy Policy. Customizable from 1700+ clauses, available in 9 languages and self-updating