Sensitive Personal Information is more vulnerable than ever to privacy breaches and cyber-attacks.
Sensitive personal information refers to information that could potentially be used to identify an individual and cause significant harm in the wrong hands. This includes Social Security numbers, bank account information, and health information.
In this article, we will discuss sensitive personal information examples, classification under the CPRA and GDPR, and best practices for protection.
What is Sensitive Personal Information (SPI)?
Sensitive personal information (SPI), also called sensitive PII (Personally Identifiable Information), is a specific category of personal data that requires a higher level of protection due to the potential harm its unauthorized disclosure could cause. Unlike general personal information such as a name or email address, SPI relates to aspects of a person’s life that are inherently private, legally protected, or capable of enabling discrimination, identity theft, financial fraud, or physical harm.
Shawn Loveland, COO of Resecurity, defines sensitive personal information as:
“Any data that, if shared without proper authorization, may seriously harm an individual’s privacy and security.”
— Shawn Loveland, COO, Resecurity
This doesn’t include regular contact details like your name, email address, and home address since most people share these openly. Instead, sensitive personal information includes things that are often kept confidential for good reason — data that, if exposed, could lead to discrimination, identity theft, financial loss, or personal harm.
Key characteristics of SPI include:
- Potential for Harm: SPI can reveal sensitive aspects of a person’s life — such as their health status, financial situation, or personal beliefs — and cause serious harm if exposed without consent.
- Special Legal Protection: Due to its sensitive nature, SPI is subject to stricter legal regulations and processing restrictions than ordinary personal data.
- Consent Requirements: Most privacy laws require explicit, informed consent before SPI can be collected or processed.
- Data Minimization: Organizations collecting SPI are expected to collect only the minimum amount necessary for a stated purpose.
Now, let’s dive into this sensitive personal information guide in full detail.
Why is Sensitive Personal Information Important to Protect?
Managing sensitive personal information is a big responsibility. As an organization, every bit of data you collect about your customers, employees, or users carries risk — and sensitive data carries the highest risk of all.
A data breach involving SPI can hurt far more than just the individual affected. It can expose your organization to regulatory fines, class action lawsuits, and long-lasting reputational damage. Consider what is at stake:
- Privacy Rights: Individuals have a fundamental right to keep their sensitive information private. Exposure without consent violates that right.
- Identity Theft & Fraud: SPI such as Social Security numbers, financial account data, and biometric identifiers can be used to commit identity theft, financial fraud, or account takeovers.
- Discrimination: Exposure of racial origin, religious beliefs, sexual orientation, or health conditions can make individuals targets of discrimination or hate-motivated harm.
- Legal & Regulatory Liability: Laws like GDPR, CPRA, HIPAA, and the GLBA require organizations to protect SPI. Non-compliance can result in fines of up to €20 million or 4% of global annual turnover under GDPR.
- Reputational Damage: Organizations that fail to protect SPI lose customer trust — often permanently. Studies consistently show that consumers stop using brands after data breaches involving sensitive data.
Sensitive Personal Information Examples
Understanding what qualifies as sensitive personal information (SPI) is the first step in protecting it. The following categories are widely recognized across major privacy frameworks including GDPR, CPRA, and HIPAA.
Financial Information
Your customers’ financial details are among the most commonly targeted categories of SPI. Financial information includes:
- Credit card and debit card numbers (especially with CVV or security codes)
- Bank account numbers and routing numbers
- Investment account information and brokerage data
- Tax returns, income records, and financial history
- Loan and credit application data
Financial SPI is regulated under frameworks including the GLBA (Gramm-Leach-Bliley Act) in the US, PCI DSS for card data, and GDPR in the EU. Exposure of financial SPI is among the leading causes of identity theft and consumer fraud globally.
Medical and Health Information
Health-related information is one of the most sensitive categories of personal data. Medical SPI includes:
- Medical records, diagnoses, and treatment histories
- Prescription and medication information
- Mental health records and therapy notes
- Genetic data and DNA profiles
- Health insurance plan details and claims history
- Disability status and accommodation records
In the United States, medical SPI is heavily protected under HIPAA (Health Insurance Portability and Accountability Act). Unauthorized disclosure can lead to discrimination in employment, insurance denial, or severe personal distress. Under GDPR, health data is explicitly listed as a “special category” requiring explicit consent for processing.
Sexual Orientation and Gender Identity
Today, more businesses are being receptive to acknowledging the identity of those who aren’t represented in the gender binary. However, this information must be handled with extreme care. Sexual orientation and gender identity data is considered SPI because its unauthorized disclosure can expose individuals to discrimination, harassment, or violence — particularly in jurisdictions where LGBTQ+ protections are limited. This category includes:
- Self-reported sexual orientation
- Gender identity that differs from assigned birth gender
- Transgender status and transition-related medical information
Both GDPR and CPRA explicitly classify data concerning a person’s sex life or sexual orientation as sensitive personal information requiring heightened protection.
Biometric Information
Biometric data is uniquely dangerous because, unlike a password, it cannot be changed. Once compromised, biometric identifiers are compromised forever. Biometric SPI includes:
- Fingerprints and palm prints
- Facial recognition data and facial geometry measurements
- Iris and retinal scans
- Voice prints and gait analysis
- Keystroke dynamics used for identification
Several US states — including Illinois (BIPA), Texas, and Washington — have enacted specific biometric privacy laws. GDPR classifies biometric data processed for unique identification as a special category of personal data.
Criminal History
Past criminal records require stringent privacy protections. Revealing such sensitive information without a person’s consent can unfairly affect their employment prospects, housing applications, and personal relationships long after a sentence has been served. Criminal SPI includes:
- Criminal convictions and charges
- Arrest records and mugshots
- Probation or parole conditions
- Expunged or sealed court records
Under GDPR, the processing of personal data relating to criminal convictions and offences requires special authorization. Many US state privacy laws treat criminal history data similarly.
Ethnicity and Race
Information about people’s racial or ethnic background is explicitly classified as sensitive personal information across virtually every major privacy framework. This data, if exposed, can subject individuals to racial discrimination, profiling, targeted harassment, or hate-motivated harm. Racial and ethnic SPI includes:
- Self-identified racial or ethnic background
- Ancestry and genetic heritage data
- National origin when used to infer ethnicity
Religious Beliefs
In a world that cherishes diversity and freedom of thought, religious beliefs must be respected as private matters. Religious SPI includes:
- Religious affiliation, denomination, or faith tradition
- Participation in religious activities or practices
- Religious or philosophical beliefs that guide personal conduct
- Membership in religious organizations
Both GDPR and CPRA treat religious beliefs as sensitive personal information. Disclosure without consent can expose individuals to employment discrimination, social stigma, or targeted persecution in certain contexts.
Geolocation Data
Precise geolocation data goes beyond a general city or region — it can reveal a person’s daily movements, home address, workplace, religious institution, medical facility visits, and other highly sensitive behavioral patterns. CPRA specifically includes geolocation data in its SPI classification. This includes:
- GPS coordinates that pinpoint exact locations
- Location history from mobile devices
- Location data derived from IP addresses at a granular level
Private Communications
The contents of private messages — emails, text messages, direct messages, and voicemails — are considered SPI under CPRA and several other frameworks. People have a reasonable expectation that private communications remain private. Intercepting or disclosing these without consent is a serious privacy violation and may also constitute a criminal offense under wiretapping laws.
Does your business handle any of this information? If so, you must protect it and comply with all relevant regulations. Get in touch with us to find out how you can do that.
Sensitive Personal Information vs. PII vs. PHI: What’s the Difference?
These three terms are frequently confused. Here’s a clear breakdown:
- PII (Personally Identifiable Information) is the broadest category — any data that can identify a specific individual, such as a name, email address, phone number, or IP address.
- SPI (Sensitive Personal Information) is a subset of PII that carries a higher risk of harm if disclosed. Not all PII is SPI, but all SPI is PII.
- PHI (Protected Health Information) is a US-specific category under HIPAA — it refers to health information that is linked to an individual and held by a covered entity or business associate.
The key difference: a name and email address are PII but not SPI. A person’s HIV status, bank account number, or biometric scan are both PII and SPI. A hospital’s record of a patient’s diagnosis is PII, SPI, and PHI. See our full comparison in PII vs SPI and PII vs PCI.
Sensitive Personal Information Under CPRA and GDPR
Different jurisdictions around the world define and handle SPI differently based on their specific data privacy frameworks. Two of the most widely applicable and influential privacy laws are California’s Consumer Privacy Rights Act (CPRA) and the EU’s General Data Protection Regulation (GDPR).
CPRA Classification
The CPRA (California Privacy Rights Act) significantly expands on its predecessor, the CCPA, to give California consumers greater control over their most sensitive personal data. Under CPRA, consumers have the right to limit the use and disclosure of their SPI. CPRA-classified SPI includes:
- Social Security numbers, driver’s license numbers, and state identification numbers
- Account log-in credentials, financial account data, debit or credit card numbers combined with required security or access codes
- Precise geolocation data
- Racial or ethnic origin, religious or philosophical beliefs, and union membership
- Genetic data and biometric data processed to uniquely identify an individual
- Health information and information concerning sex life or sexual orientation
- The contents of a consumer’s mail, email, or text messages (unless the business is the intended recipient)
GDPR Classification
The General Data Protection Regulation (GDPR) treats privacy as a fundamental human right. Under Article 9, GDPR creates a separate and stricter processing regime for “special categories” of personal data, which align closely with what is commonly called SPI. GDPR special categories include:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
- Genetic data processed for the purpose of uniquely identifying a natural person
- Biometric data processed solely to identify an individual
- Health-related data
- Data concerning a person’s sex life and sexual orientation
Under GDPR Article 9, processing these special categories is prohibited unless one of ten specific lawful bases applies — including explicit consent, vital interests, or substantial public interest.
How Do CPRA, GDPR, and HIPAA Handle SPI? A Comparison
The table below summarizes how the three most important privacy frameworks classify and treat sensitive personal information:
| SPI Category | CPRA (California) | GDPR (EU) | HIPAA (US Health) |
|---|---|---|---|
| Financial Data (bank accounts, card numbers) | Yes — SPI, right to limit use | Not a special category, but general PII obligations apply | Yes, if related to healthcare payment |
| Health / Medical Information | Yes — SPI | Yes — Special Category (Art. 9) | Yes — Core PHI |
| Biometric Data | Yes — SPI | Yes — Special Category (Art. 9) | Yes, if linked to health records |
| Racial / Ethnic Origin | Yes — SPI | Yes — Special Category (Art. 9) | No specific provision |
| Religious Beliefs | Yes — SPI | Yes — Special Category (Art. 9) | No specific provision |
| Sexual Orientation | Yes — SPI | Yes — Special Category (Art. 9) | No specific provision |
| Genetic Data | Yes — SPI | Yes — Special Category (Art. 9) | Yes — Protected under GINA + HIPAA |
| Precise Geolocation | Yes — SPI | Indirectly protected | No specific provision |
| Private Communications | Yes — SPI (mail, email, texts) | General PII rules apply | Yes, if related to healthcare |
| Criminal History | Limited protection | Special rules under Art. 10 | No specific provision |
Best Practices for Protecting Sensitive Personal Information
Protecting sensitive personal data isn’t just a legal obligation — it also builds consumer trust and protects your organization from costly breaches. Best practices vary from technical measures like encryption and access controls to procedural ones like employee training and data privacy impact assessments.
Best Practices for Businesses
Nick Henderson-Mayo, Director at Vinciworks, recommends:
“Start with a good classification system. Ensure sensitive personal data is properly labelled and organised so that it can be kept separate from less sensitive data and given additional protections.”
— Nick Henderson-Mayo, Director, Vinciworks
- Data Classification: Identify and label all SPI your organization collects so it can be given appropriate protections and access restrictions.
- Encryption: Encrypt SPI both in transit (TLS/SSL) and at rest. Encryption ensures data is unreadable even if intercepted or stolen.
- Access Controls: Apply the principle of least privilege — only employees who need SPI for their specific job duties should have access. Use role-based access controls (RBAC).
- Multi-Factor Authentication (MFA): Require MFA for all accounts that can access systems containing SPI.
- Privacy Impact Assessments (PIAs / DPIAs): Before launching new products or services that process SPI, conduct a Data Protection Impact Assessment to identify and mitigate risks.
- Employee Training: Educate all staff on how to handle SPI securely, recognize phishing attempts, and respond to suspected breaches.
- Secure Disposal: When SPI is no longer needed for its stated purpose, dispose of it securely — shred physical documents and use certified data wiping for digital files.
- Vendor Due Diligence: Any third-party vendor that processes SPI on your behalf must have adequate security controls. Review Data Processing Agreements (DPAs) carefully.
- Incident Response Plan: Have a documented plan for responding to data breaches involving SPI, including required notification timelines (72 hours under GDPR, 30–45 days under most US state laws).
- Regular Audits: Conduct periodic security audits and vulnerability assessments of all systems that store or process SPI.
Best Practices for Individuals
Individuals can also take meaningful steps to protect their own sensitive personal information:
- Create strong, unique passwords for all accounts and use a password manager
- Enable multi-factor authentication on financial, health, and government accounts
- Regularly review privacy settings on apps, social media, and devices
- Be skeptical of unsolicited requests for sensitive data — legitimate organizations will not ask for your SSN or full financial details via email
- Monitor bank statements and credit reports regularly for unauthorized activity
- Use reputable security software including antivirus and firewall tools
- Shred physical documents containing sensitive data before disposal
- Avoid sharing sensitive information over public Wi-Fi or unsecured networks
- Exercise your data rights — under GDPR and CPRA, you have the right to know what SPI is held about you and to request its deletion
What Happens If SPI Is Breached? Legal Consequences
A breach of sensitive personal information can trigger significant legal, financial, and reputational consequences. Key consequences include:
- GDPR Fines: Up to €20 million or 4% of global annual revenue (whichever is higher) for serious violations involving special category data.
- CPRA Penalties: $100 per consumer per incident for unintentional violations and $750 per consumer per incident for intentional violations. For breaches involving children’s SPI, fines are tripled.
- HIPAA Penalties: Civil penalties ranging from $100 to $50,000 per violation, with an annual maximum of $1.9 million per violation category. Criminal penalties can include up to 10 years in prison for intentional misuse.
- Class Action Lawsuits: Consumers in California can bring private rights of action under CPRA without needing to prove harm if certain SPI categories are involved in a breach.
- Mandatory Breach Notification: Most jurisdictions require notification to affected individuals and regulators within a set timeframe following a breach of SPI.
Frequently Asked Questions About Sensitive Personal Information
Is an email address considered sensitive personal information?
No, in most cases an email address alone is not classified as SPI. It is general personally identifiable information (PII). However, an email address becomes more sensitive when combined with other data (such as health status, financial account details, or location history) that could enable harm if disclosed without consent.
What is the difference between SPI and PII?
PII (Personally Identifiable Information) is the broader category — it includes any data that can identify a person, such as name, address, or phone number. SPI (Sensitive Personal Information) is a narrower subset of PII that carries a higher potential for harm if disclosed, such as health information, financial credentials, biometric data, or racial and ethnic origin. All SPI is PII, but not all PII is SPI.
Does GDPR cover sensitive personal information?
Yes. Under GDPR Article 9, certain categories of data are classified as “special categories of personal data” and receive the highest level of protection. These include racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation. Processing these categories is generally prohibited unless an explicit lawful basis applies, such as explicit consent from the data subject. You can review the full text of GDPR Article 9 on the official GDPR resource.
What is not considered sensitive personal information?
General personal identifiers that most people share publicly are typically not classified as SPI. These include: a person’s full name, general email address, standard mailing address, general phone number, employer name, and job title. However, context matters — even non-sensitive data can become sensitive when combined with other data points that reveal private aspects of a person’s life.
What are the penalties for mishandling sensitive personal information?
Penalties vary by jurisdiction and regulation. Under GDPR, fines can reach €20 million or 4% of global annual revenue. Under CPRA, per-incident fines apply per consumer, with tripled fines for violations involving minors’ SPI. Under HIPAA, penalties range from $100 to $50,000 per violation. Beyond regulatory fines, organizations may also face private civil litigation, class action lawsuits, and significant reputational damage.
How long can businesses retain sensitive personal information?
There is no universal retention period — it depends on the applicable law and the purpose for which the data was collected. Under GDPR, SPI must not be retained longer than necessary for the stated purpose (the “storage limitation” principle). Under HIPAA, medical records must be retained for a minimum of six years. Under CPRA, businesses must disclose their retention periods and may not retain SPI longer than reasonably necessary.
How Can Captain Compliance Help With Sensitive Personal Information Compliance?
Sensitive personal data protection isn’t just necessary — it’s often legally mandated and essential to maintaining the trust of your customers, employees, and partners. Failing to protect SPI exposes your organization to regulatory penalties, civil liability, and irreparable reputational harm.
Remember: working with SPI is a responsibility that should not be taken lightly. That’s why companies across industries rely on Captain Compliance to manage their data privacy obligations.
Captain Compliance can handle all compliance needs for your business — from cookie consent management and privacy policy generation to DSAR portals and GDPR/CPRA gap assessments — so you can focus on what you do best. Contact us today for a free consultation to learn what you should be doing for your sensitive data.
