Language is a funny thing. Depending on what you call fizzy drinks or how you refer to a group of people (y’all, youse, or you guys), linguists can triangulate exactly where you live in the United States.
Most of the time, these regional language differences are no big deal. But when differences in definition lead to different applications of the law, things get…tricky.
Take one of the major buzzwords in data privacy laws: “sensitive data.”
Sensitive data is a type of personal information requiring more protection than others. But here’s the problem: not all personal information is considered sensitive, and different regulations define “sensitive data” differently.
This discrepancy can create huge headaches for businesses, not to mention serious compliance risks and liabilities if your data is not handled correctly within each jurisdiction.
So, what do businesses need to know about sensitive data, and how can they manage it to protect their customers and businesses?
What is sensitive data?
Data privacy laws generally protect individuals’ rights to control their personal data and regulate how businesses can collect, use, process, share, store, and sell that information.
Sensitive data is a type of personal data. Think of it like the finger-thumb comparison: All sensitive data is personal data, but not all personal data is sensitive data.
Several data categories may be deemed as sensitive information. Most U.S. data privacy laws include the following under the umbrella of sensitive data:
- Citizenship or immigration status
- Personal data that indicates a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs (Oregon also restricts data regarding a person’s national origin.)
- Data that reveals your precise geo-location (except in Colorado and Oregon, where the area is limited to a 1,750-foot radius around you or your device)
- Religious beliefs
- Mental or physical health diagnoses
- Data regarding a person’s sexual orientation
- Genetic or biometric data (some states, like Tennessee, Nebraska, and New Jersey, qualify that this data is only considered sensitive if processed to identify an individual uniquely)
But that’s just taking a domestic view! The European Union’s General Data Protection Regulation (GDPR) also factors in sensitive data (referred to as “special categories of personal data”), which includes many categories that aren’t consistently addressed in U.S. privacy regulations, such as political opinions, data concerning a person’s sex life, or criminal history.
Special categories of sensitive data
Let’s explore “special categories” a bit further. Most states have their own peculiarities and special categories of sensitive data that businesses must consider.
Here are a few examples to illustrate this:
The California Consumer Privacy Act, which is often considered the most expansive state data privacy law, includes data points such as:
- Identifying data such as a person’s Social Security, driver’s license, state identification, or passport number
- Any account login, password, or credentials allowing access to an account
- Trade union membership
- Contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
- Philosophical beliefs
Other states focus more narrowly on issues. For example, Washington’s My Health My Data Act focuses on health data, including information from health apps, fitness trackers, and other consumer health technologies. It considers this data as sensitive, which is unique compared to other state laws. (And Washington’s not the only state with health data regulations—Nevada, Maryland, and Connecticut are also in the game here.)
Sensitive data: opt-in vs. opt-out
Many state regulations (but not all!) require opt-in consent for sensitive data. What does “many” mean, though? This quick breakdown is here to help.
- Opt-in states
- Colorado
- Connecticut
- Delaware
- Indiana
- Montana
- Oregon
- Tennessee
- Texas
- Virginia
- Opt-out states
- California
- Iowa
- Utah
- Other notable requirements
- Florida requires opt-in consent for processing sensitive data of minors under 18
- Texas requires posting a notice if you’re selling sensitive or biometric data
- Maryland bans the sale of sensitive data of minors for targeted advertising—no exceptions
Okay, but what does it mean if you require opt-in?
It means that consumers must explicitly allow a business to collect that information through informed consent. Let’s say you’re signing up for a fitness tracking app as you train for a 10k. To give explicit permission, you might click an unchecked box next to the statement like ‘I consent to the collection and processing of my health data for personalized fitness recommendations.’ (And ideally, the consent request will be accompanied by an explanation of how the health data will be used, stored, and protected).
Opt-out is generally considered less stringent than opt-in. So, if you’ve been operating in an opt-out state and are expanding your operations, you may have to make some significant process changes to stay compliant with newly applicable laws.
What about GDPR? Under this law, processing sensitive data requires a legal basis, which is often explicit consent or, in some situations, the necessity of substantial public interest.
How can companies manage sensitive data and comply with such varying privacy laws?
Tracking the matrix of sensitive data categories can feel like a full-time job. So, how can businesses balance legal requirements with operational efficiency?
While a business may take several steps depending on its needs, the general elements of success can be divided into the following categories.
Understanding your data
How your business tracks and manages your data inventory is one of the best ways to set yourself up for success. If you understand your data, you are better equipped to manage it (and to get the most value out of it!).
Regular data inventory reports can help ensure that you classify your data correctly and that sensitive data undergoes the correct processing procedures. During this process, you can review how to identify this kind of information within your organization and who has access to it.
What does this entail? Beyond conducting a data inventory, you should:
- Update data inventory when onboarding new vendors, including details on what types of data they’ll have access to and their data protection measures.
- Regularly assess whether the current data collection aligns with business needs and legal requirements.
- Discuss changes and any new data processing activities or technologies being considered in meetings with business units.
- Consider using a dedicated data inventory management tool to keep documentation accessible and up to date.
Implementing privacy by design principles
Privacy by design is a strategy that places privacy as a central structural requirement of your systems and operations rather than an afterthought.
The core principles of privacy by design include:
- Be proactive, not reactive
- Be preventative, not remedial
- Make privacy the default setting
- Embed privacy into the design
- Provide full functionality regardless of privacy choices
- Ensure end-to-end security
- Maintain visibility and transparency
- Respect user privacy
Be proactive about privacy impact assessments
Privacy impact assessments (PIAs) are an important resource for businesses to flag the privacy risks of a process, product, service, or feature. Proactive PIAs, such as when you start collecting new data (especially sensitive data), enable businesses to mitigate risks before proceeding with the initiative.
PIAs are often required under data protection laws to process sensitive or high-risk data. Still, beyond requirements, they also provide significant advantages through increased efficiency, compliance, documentation, and transparency with governmental and public bodies.
PIAs also help businesses address potential issues with cross-border data transfers.
Take a close look at your data retention practices
Just because you have it doesn’t mean you need to keep it.
It’s easy for businesses to overlook their data retention and deletion practices. However, many privacy laws require that personal data, especially sensitive data, be kept for no longer than necessary for the purposes for which it was collected.
And let’s be clear: sensitive data needs to have a business purpose to be processed! What’s more, sensitive data collection (and its purposes) needs to be disclosed in privacy notices.
Under regulations like CCPA or GDPR, there are specific disclosure requirements around this; under CCPA, for example, businesses need to disclose that consumers are able to opt out of the use of for secondary purposes.
To make sure you’re one of the businesses handling it correctly, create clear data retention policies that:
- Specify how long different data types will be kept based on legal requirements and business needs.
- Detail how data will be securely deleted or anonymized when no longer needed.
- Outline the process for regular reviews of stored data to ensure compliance with retention policies.
- Address to privacy rights will be managed; for example, the CCPA provides consumers the right to opt-out/limit the use of sensitive information if it’s being used for secondary purposes.
- Describe procedures for handling data retention during legal holds or investigations.
These policies should be documented, communicated to all relevant staff, and regularly updated to reflect changes in laws or business practices.
2025 Privacy Checklist
Check out our Privacy Checklist for tips and practical guidance to establish a sustainable compliance program.
Translating privacy laws, one dialect at a time
As dialects vary from region to region, so do the definitions and applications of “sensitive data” in privacy laws across states.
Need a translator to navigate data privacy laws? Contact Red Clover Advisors to discuss how you can protect your data privacy and security.