When you handle personal information, you may be subject to one or more privacy laws. These laws often have extra restrictions and requirements when you process a particular category of personal information called "sensitive personal information."
Here's what you need to know and do.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.




- 1. What is Personal Information?
- 2. What's Different About Sensitive Personal Information?
- 3. Why Does the Difference Between Personal Information and Sensitive Personal Information Matter?
- 4. Personal Information and Sensitive Personal Information in Key Privacy Laws
- 4.1. General Data Protection Regulation (GDPR)
- 4.1.1. Definitions
- 4.1.2. Requirements
- 4.2. LGPD
- 4.2.1. Definitions
- 4.2.2. Requirements
- 4.3. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 4.3.1. Definitions
- 4.3.2. Requirements
- 4.4. Australia's Privacy Act
- 4.4.1. Definitions
- 4.4.2. Requirements
- 4.5. Protection of Personal Information (POPI) Act
- 4.5.1. Definitions
- 4.5.2. Requirements
- 4.6. California Privacy Rights Act (CPRA)
- 4.6.1. Definition
- 4.6.2. Requirements
- 4.7. Other State Laws
- 4.7.1. Definition
- 4.7.2. Requirements
- 5. Summary
What is Personal Information?
Personal information is usually defined as information about an identifiable person. While definitions vary between different privacy laws, it commonly includes information such as:
- Names
- Phone numbers
- Addresses
- Dates of birth
- Financial information
- Geolocation information
The common principle in most data laws is that personal information is about a specific person. For example, the average income level on Walnut Grove being $40,000 is not personal information. However, Mr Smith of 24 Walnut Grove having an income of $55,000 is personal information.
Most privacy laws have some exemptions for personal information that is already lawfully in the public domain.
For example, Mr Smith being the registered owner of Heavenly Hot Tubs Inc would not count as personal information. Similarly, the salary of the local Senator would not count as personal information as it's a matter of public record.
What's Different About Sensitive Personal Information?
Sensitive personal information is usually defined as a type of personal information where a data breach would cause significant harm to the individual. While precise definitions vary between different privacy laws, it commonly includes information covering:
- Financial status
- Health
- Personal beliefs such as religion and politics
- Sexual identity and preference
- Race
Some data laws use different terminology for "sensitive personal information" but the same principles apply.
Why Does the Difference Between Personal Information and Sensitive Personal Information Matter?
Privacy laws which have separate rules for sensitive personal information usually vary in two ways:
- The requirements for the data controller (the person or organization that handles the personal information) are stricter with sensitive information, for example requiring additional security measures or specific justification.
- The penalties for breaching the rules may be more severe in cases involving sensitive personal information.
Personal Information and Sensitive Personal Information in Key Privacy Laws
Here are some of the main ways that major privacy laws address sensitive personal information.
General Data Protection Regulation (GDPR)
This law broadly applies when the data controller, the data subject (the person the data is about) or the processing itself is in a European Union country. Identical or similar rules apply in Iceland, Lichtenstein, Norway, Switzerland and the United Kingdom through either national laws or agreements with the EU.
Definitions
The GDPR defines personal data as "any information relating to an identified or identifiable natural person." It gives examples including "a name, an identification number, location data, an online identifier" or something else relating to the person's "physical, physiological, genetic, mental, economic, cultural or social identity."
The GDPR defines sensitive personal information using the term "special categories of personal data." It defines it as:
"personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation."
Requirements
The GDPR says you must have a legitimate basis to process personal information: in other words, one of a specific list of reasons and situations. When you process sensitive personal information, some of these legitimate bases have tighter constraints, for example:
- Consent must explicitly cover the stated purpose of the processing.
- The legitimate interests basis is not available to for-profit businesses.
You must appoint a dedicated Data Protection Officer if your core business activity includes large scale processing of sensitive personal information.
Under the GDPR you must always carry out a data protection impact assessment when processing data of a type, or in a way, that carries a high risk to people's data rights. While this will often not apply to ordinary personal data, any large-scale processing of sensitive personal information automatically meets this threshold.
Turning Point's Privacy Policy addresses the types of data it processes. The health data category would count as sensitive personal information under the GDPR:

LGPD
This Brazilian law is similar in concept and principles to the GDPR. It generally applies if the data subject, the data collection or the data processing is in Brazil. It also applies if the data processing is done to provide goods or services in Brazil.
Definitions
The LGPD defines sensitive personal information as:
"personal data on racial or ethnic origin, religious conviction, political opinion, union affiliation or religious, philosophical or political organization, health or sexual life data, genetic or biometric data, when linked to a natural person."
Requirements
As with the GDPR, the main difference with sensitive personal information (compared with ordinary personal information) involves the choice of lawful basis. Under the LGPD, the legitimate interests basis cannot be used at all with sensitive personal information.
Funem Studio only collects data classed as ordinary personal data. This means it can use the data for the listed purposes under the legitimate interests basis. This would not be allowed with sensitive personal information:

Personal Information Protection and Electronic Documents Act (PIPEDA)
This federal Canadian law applies to most businesses that aren't covered by another federal or provincial privacy law.
Definitions
PIPEDA uses the concept of sensitive personal information but doesn't specifically define it. Official guidance says some information such as health and financial records is inherently sensitive. Other information may be sensitive because of its topic.
The guidance gives examples that a magazine subscriber's name and address isn't inherently sensitive but could be so if it's a "special interest" magazine.
Requirements
The main effect of data being classed as sensitive under PIPEDA is that consent to process the data must be express rather than implied. This means you can't assume consent or use an opt-out system. Instead, you must get meaningful, active consent such as signing a form.
RSI Security gives some examples of what should be in a consent form:

Australia's Privacy Act
This federal law applies to government agencies, large businesses (with a turnover above $3 million AUD), and all businesses in particular fields such as private healthcare and credit reporting.
Definitions
The act defines sensitive personal information as personal information that relates to somebody's:
- Criminal record
- Health or genetic information
- Political opinions or associations
- Racial or ethnic origin
- Religious or philosophical beliefs
- Sexual orientation or practices
- Some aspects of biometric information
- Trade union membership or associations
Requirements
With ordinary personal information, you don't need consent to collect personal data. With sensitive personal information, you must have consent, though this can be implied consent. That means an opt-out system is usually acceptable.
Gilbert & Topin lists some tips for making an opt-out consent system meaningful:

You cannot use sensitive personal information for any purpose that isn't directly related to the primary purpose for which you collected it. You can never use it for direct marketing, and you can't share it with "related bodies corporate" such as a sister company or subsidiary.
Protection of Personal Information (POPI) Act
This South African law specifically applies if either the data processor or the processing itself is in South Africa. While the position on data subjects is somewhat ambiguous, most interpretations say it also covers cases where the data processor and processing are outside of South Africa but the data subject is in South Africa.
Definitions
The POPI Act has a category of "special personal information." It covers alleged criminal offenses, court proceedings, and "the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject."
Requirements
For most personal information, you don't need consent to process data about an adult. (You do need a parent or guardian's consent to process data about a child unless the processing is legally required).
For special personal information you must get consent that specifically covers the information in question. The main exceptions are if you are legally required to process the data, or you have specific permission from the Information Regulator to process it without consent.
The Insurance Sector Education and Training Authority uses a consent form for such cases:

California Privacy Rights Act (CPRA)
This law updated the California Consumer Privacy Act (CCPA). The law applies to businesses which do business in California and have a large turnover ($25 million or more), handle the data of a large number of people in California (50,000 or more), or make at least half of their revenue from buying and selling personal data. It doesn't matter where the business is based.
Definition
The CPRA's updates mean the law now defines sensitive personal information as covering:
- Citizenship or immigration status
- Government identifiers
- Information about sexual orientation, racial or ethnic origin, religious or philosophical beliefs, or union membership
- Precise geolocation
Requirements
The CPRA says businesses must break down and disclose their data use by categories. Sensitive personal information must be listed as a separate category.
In the same way as they can tell a company not to sell their personal data, consumers have the right to tell a company not to use their sensitive personal information for any reason other than to perform requested services or provide goods.
Next15's Privacy Policy has specific sections for types of sensitive personal information:

Other State Laws
Several U.S. states have passed their own privacy laws which were written and work in a similar way. These include:
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Delaware Data Protection Act (DPDPA)
- Indiana Consumer Data Protection Act (INCDPA)
- Kentucky Consumer Data Protection Act (KYCDPA) (Enforcement begins in 2026)
- Maryland Data Privacy Act (MDODPA) (Takes effect on 31 July 2025)
- Nebraska Data Privacy Act (NEDPA)
- New Hampshire Data Privacy Act (NHDPA)
- New Jersey Data Protection Act (NJPA)
- Oregon Consumer Privacy Act (OCPA)
- Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) (Takes effect in 2026)
- Tennessee Information Protection Act (TIPA) (Takes effect 1 July 2025)
- Texas Data Privacy and Security Act (TXDPA)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
These laws work in very similar ways. They generally apply to businesses that target consumers in the respective state and control the personal data of a large number of consumers, sell the personal data of a large number of consumers, or make a significant proportion of their revenue from selling personal data. The precise thresholds vary between states, partly because of population differences.
The Nevada and Texas laws don't have thresholds but do exempt small businesses.
The New Hampshire and Oregon laws don't apply to businesses which only process personal data to complete payment transactions.
Definition
Each law has a definition of sensitive personal information. While some states have minor variations, the category commonly covers:
- Any personal data about somebody aged under 13
- Genetic or biometric data
- Geolocation data
- Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship status.
The New Jersey law includes financial information in the sensitive data category.
Requirements
Unlike with ordinary personal data, most of these state laws require consumer consent before processing sensitive personal information. With laws that include personal data of children in the sensitive personal information category, the consent must be from a parent or guardian. In most states, parental or guardian consent previously gathered under the federal COPPA rule will be valid.
Maryland's law is stricter than the others: even with consumer consent, it only allows processing of sensitive data where strictly necessary to provide a service or product. This rules out selling such data or using it for marketing.
Iowa and Utah's laws work slightly differently as they allow for opt-out consent for processing sensitive personal information. This means the business can process the information without consent but must tell the consumer it is doing so and give them a chance to opt out.
Most of the state laws require data controllers to carry out a risk assessment before some data processing. This includes any processing of sensitive personal information.
Summary
Nearly all privacy laws cover personal information: data about an identified or identifiable person. Many laws have extra requirements and restrictions for sensitive personal data. This category often covers financial and health, plus information about sexual orientation, citizenship status, race and personal beliefs.
While the requirements and restrictions vary between different laws, handling sensitive personal information will often require stronger consent from the data subject; trigger a risk assessment; or limit the way you can use or disclose the information.