Sensitive Personal Information (CPRA)

Under CPRA Section 1798.140(ae), a subset of personal information including: Social Security numbers, driver's license numbers, state ID numbers, passport numbers, financial account access credentials, precise geolocation, racial/ethnic origin, religious/philosophical beliefs, union membership, mail/email/text message contents (when not directed to the business), genetic data, biometric information for unique identification, health information, sex life or sexual orientation information. This category receives enhanced protections—consumers have the right to limit businesses' use and disclosure of sensitive personal information to purposes necessary for performing services or providing goods reasonably expected. Businesses must provide 'Limit the Use of My Sensitive Personal Information' links and honor limitation requests. Unlike GDPR's special categories, CPRA's definition includes account credentials and precise location, reflecting digital privacy concerns. Organizations collecting sensitive personal information should implement heightened security, minimize collection, provide clear notices, honor limitation requests, and maintain records demonstrating necessity of any uses beyond limited purposes.