Key Takeaways
| Point |
Summary |
| What it is |
A subset of personal information requiring additional protections |
| When introduced |
CPRA amendments (effective January 1, 2023) |
| Consumer right |
Right to limit use to specific purposes |
| Required link |
"Limit the Use of My Sensitive Personal Information" |
| Key difference from GDPR |
Consumer must actively limit use (vs. GDPR's opt-in approach) |
Quick Answer: Sensitive personal information includes Social Security numbers, financial account credentials, precise geolocation, race/ethnicity, religious beliefs, union membership, private communications, genetic data, biometrics, health data, sex life/orientation, and immigration status. Consumers can limit its use to specific purposes.
What is Sensitive Personal Information?
Sensitive personal information (SPI) is a subset of personal information that the CPRA recognizes as deserving heightened protection due to the potential harm from its misuse.
| Characteristic |
Details |
| Definition |
Personal information revealing or consisting of specific categories |
| Standard |
Information that could seriously harm individuals if exposed |
| Consumer control |
Right to limit use and disclosure |
| Business obligation |
Provide "Limit" link and honor limitations |
Categories of Sensitive Personal Information
Government Identifiers
| Data Type |
Examples |
| Social Security number |
Full or partial SSN |
| State identification |
Driver's license number, state ID number |
| Passport number |
Full passport identifier |
| Other government IDs |
Tax ID, military ID, immigration documents |
Financial Account Access
| Data Type |
Examples |
| Account numbers |
Bank account, investment account numbers |
| Access credentials |
Combined with passwords, PINs, security codes |
| Payment cards |
Credit or debit card numbers with security info |
Note: The account number alone is personal information. It becomes SPI when combined with access credentials.
Precise Geolocation
| Characteristic |
Details |
| Definition |
Location within a radius of 1,850 feet (approximately 564 meters) |
| Examples |
GPS coordinates, cell tower triangulation, Wi-Fi location |
| Not included |
City-level location, ZIP code, general region |
| Use cases |
Navigation, location-based services, tracking |
Protected Characteristics
| Data Type |
Examples |
| Racial origin |
Self-identified race or ethnicity |
| Ethnic origin |
Heritage, national origin indicators |
| Religious beliefs |
Faith, denomination, religious practices |
| Philosophical beliefs |
Ethical or moral convictions |
| Union membership |
Labor union affiliation |
Genetic Data
| Data Type |
Examples |
| DNA |
Genetic test results, sequencing data |
| Family history |
Genetic family health history |
| Biological relationships |
Paternity, ancestry information |
| Inherited traits |
Genetic markers for conditions |
Biometric Information
| Data Type |
Requirements |
| Fingerprints |
When used for identification |
| Face geometry |
Facial recognition data |
| Voice prints |
Voice pattern analysis |
| Retina/iris scans |
Eye pattern data |
| Other unique identifiers |
Gait, keystroke dynamics, etc. |
Key qualifier: Biometric data is SPI only when processed to uniquely identify a consumer.
Private Communications
| Data Type |
Conditions |
| Mail contents |
When business is not intended recipient |
| Email contents |
When business is not intended recipient |
| Text messages |
When business is not intended recipient |
| Other messages |
Private communications the business intercepts or accesses |
Exception: If the business is the intended recipient of the communication, it is not considered SPI.
Health Information
| Data Type |
Examples |
| Medical history |
Past diagnoses, treatments, procedures |
| Current conditions |
Active health issues, chronic conditions |
| Mental health |
Psychological conditions, therapy records |
| Disabilities |
Physical or mental disability information |
Sex Life and Sexual Orientation
| Data Type |
Examples |
| Sexual orientation |
LGBTQ+ status |
| Sex life information |
Intimate details, dating preferences |
| Related inferences |
Derived sexual orientation data |
Immigration Status (Added 2024)
| Data Type |
Examples |
| Citizenship status |
Whether the consumer is a citizen |
| Immigration status |
Visa type, residency status, work authorization |
Assembly Bill 947, effective January 1, 2024, added immigration and citizenship status to the SPI categories.
Consumer Rights for Sensitive Personal Information
Right to Limit Use
Consumers can direct businesses to limit the use of their SPI to specific purposes.
| Aspect |
Details |
| Consumer action |
Request to limit SPI use |
| Effect |
Business restricted to permitted purposes |
| Mechanism |
"Limit the Use of My Sensitive Personal Information" link |
| Alternative |
Combined link with sale/sharing opt-out |
Permitted Uses After Limitation
When a consumer limits SPI use, businesses may only use it for:
| Permitted Purpose |
Examples |
| Perform services requested |
Completing a transaction, providing requested services |
| Ensure security |
Detecting breaches, protecting against fraud |
| Maintain quality |
Verifying product quality, safety |
| Short-term transient use |
Contextual advertising (same interaction) |
| Perform services for business |
Service provider activities under contract |
| Debug and repair |
Identifying and fixing errors |
| Protect rights |
Legal compliance, defense of claims |
Uses Requiring Explicit Consent
If a business wants to use SPI beyond permitted purposes after a consumer limits use, it must obtain explicit consent.
| Requirement |
Details |
| Consent type |
Affirmative, informed, freely given |
| Disclosure |
Clear explanation of intended uses |
| Revocability |
Consumer can withdraw consent |
| Documentation |
Maintain consent records |
Business Obligations for SPI
Notice Requirements
| Disclosure |
Location |
| Categories collected |
Privacy policy |
| Purposes of collection |
Privacy policy and at-collection notice |
| Consumer rights |
Privacy policy |
| How to limit use |
Privacy policy and designated link |
Link Requirements
| Requirement |
Details |
| Link text |
"Limit the Use of My Sensitive Personal Information" |
| Placement |
Homepage, privacy policy |
| Alternative |
Combined with opt-out: "Do Not Sell or Share/Limit Use" |
| Functionality |
Must actually limit use upon request |
Data Minimization
| Principle |
Application to SPI |
| Collection |
Only collect SPI reasonably necessary for disclosed purposes |
| Retention |
Do not retain longer than reasonably necessary |
| Use |
Only use for purposes disclosed at collection |
SPI vs. Regular Personal Information
| Aspect |
Personal Information |
Sensitive Personal Information |
| Definition |
Identifies, relates to, or could be linked to a consumer |
Subset revealing specific high-risk categories |
| Consumer right |
Know, delete, correct, opt-out |
All PI rights plus right to limit use |
| Default status |
Can collect with notice |
Can collect with notice but must allow limiting |
| Risk level |
Varies |
Consistently high |
| Link required |
Opt-out link |
Both opt-out and limit links |
Comparison with GDPR Special Categories
| Aspect |
CCPA/CPRA |
GDPR |
| Terminology |
Sensitive personal information |
Special categories of personal data |
| Default |
Collection permitted with notice |
Processing prohibited by default |
| Consumer role |
Must request limitation |
Opt-in consent or legal basis required |
| Categories overlap |
Yes, significant overlap |
Yes, significant overlap |
| Unique to CCPA |
Financial credentials, precise geolocation, private communications |
Political opinions (as category) |
Common Questions
Is all health data SPI?
Health data "collected and analyzed concerning a consumer's health" is SPI. Incidental health information (like ordering a product for someone with allergies) may not rise to the SPI level, but businesses should err on the side of caution.
What about inferences?
Inferences about SPI categories (e.g., inferring sexual orientation from behavior) are treated as SPI.
Must I have a separate SPI link?
No. You may combine the "Limit the Use of My Sensitive Personal Information" functionality with your opt-out link, using combined language.
What if I need SPI for my core service?
You can use SPI for performing the services requested by the consumer. The limitation applies to secondary uses beyond the primary service.
Does the right to limit apply to service providers?
Businesses must instruct their service providers and contractors to also limit SPI use when a consumer exercises this right.
Implementation Checklist
How Bastion Helps
Handling sensitive personal information requires careful attention to data categorization, consumer rights, and processing controls.
| Challenge |
How We Help |
| SPI identification |
Data mapping to identify SPI across systems |
| Compliance mechanisms |
Implementation of limit-use functionality |
| Policy updates |
Privacy notice language for SPI disclosures |
| Consent management |
Systems for obtaining and tracking SPI consent |
| Service provider contracts |
Addenda for SPI handling requirements |
Need help managing sensitive personal information under CCPA? Talk to our team →
Sources
