US-CaliforniaWhat is 'sensitive personal information' under CPRA?
Under the California Privacy Rights Act (CPRA), 'sensitive personal information' includes data like Social Security numbers, precise geolocation, racial origin, religious beliefs, sexual orientation, and contents of mail, email, or text messages.
What the Law Says
The CPRA defines 'sensitive personal information' in Civil Code section 1798.121, adding new protections beyond the original CCPA. Businesses must provide separate notice and obtain opt-in consent before using this data for purposes beyond what is strictly necessary.
Sensitive personal information is a special category of personal data that receives heightened protection under the CPRA. It includes specific types of information that could cause significant harm if misused — such as identity theft, discrimination, or harassment.
The law requires businesses to limit collection and use of this data, disclose its use in privacy policies, and allow consumers to limit its use — especially for advertising or profiling.
Consumers have the right to direct businesses to limit the use of their sensitive personal information to what is 'necessary to perform the services or provide the goods reasonably expected by an average consumer.'
Statutory Text“Sensitive personal information” means: (A) A consumer’s first name or first initial and last name in combination with any one or more of the following data elements: (i) A Social Security number. (ii) A driver’s license number, California Identification Card number, or other government-issued identification number. (iii) An account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to the consumer’s financial account. (iv) A precise geolocation. (v) A racial or ethnic origin. (vi) A religious belief. (vii) A union membership. (viii) The contents of a consumer’s mail, email, and text messages, unless the business is the intended recipient of the communication. (ix) Genetic data. (x) Biometric information. (xi) Personal information collected and analyzed concerning a consumer’s health. (xii) Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
— Cal. Civ. Code § 1798.121(a)(1) — Definition of sensitive personal information
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.