Sensitive Data Categories Under US Law

US federal and state law does not apply a single unified definition of "sensitive data." Instead, sensitivity is determined by data type, the regulated sector handling it, and the statutory or regulatory framework that governs collection and disclosure. Misclassifying data under the wrong framework — or failing to classify it at all — is one of the most common sources of enforcement exposure for organizations subject to US privacy law. The data protection providers on this site index service providers and professionals who operate across these classification boundaries.

Definition and scope

Under US law, sensitive data categories are defined through a patchwork of sector-specific statutes rather than a single omnibus privacy law. Each statute designates certain data types as warranting heightened protection, triggers specific obligations for entities that process them, and establishes distinct enforcement mechanisms.

The primary federal frameworks that define sensitive categories include:

1. Health information — Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA, 45 CFR Parts 160 and 164), covering data held by covered entities and their business associates.
2. Financial data — Nonpublic personal information (NPI) under the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. §§ 6801–6809) and account data regulated by the Payment Card Industry Data Security Standard (PCI DSS).
3. Education records — Personally identifiable information in student records under the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g).
4. Consumer financial data — Credit report information under the Fair Credit Reporting Act (FCRA, 15 U.S.C. § 1681).
5. Children's data — Personal information of children under 13 under the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506).
6. Biometric data — Physical or behavioral identifiers (fingerprints, retina scans, voiceprints) regulated at the state level, most prominently under the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14).
7. Government identifiers — Social Security Numbers and driver's license numbers, which trigger breach notification obligations under all 50 state breach notification statutes.
8. Precise geolocation — Real-time or historical location data with sufficient granularity to infer sensitive patterns, now addressed in state comprehensive privacy laws including California, Colorado, Connecticut, Virginia, and Texas.
9. Genetic data — DNA and genomic information subject to the Genetic Information Nondiscrimination Act (GINA, 42 U.S.C. § 2000ff) in employment contexts.
10. Mental health and substance use records — Separately protected from general PHI under 42 CFR Part 2 for substance use disorder treatment records, with additional state-level mental health confidentiality statutes.

How it works

Classification of data as sensitive under US law operates through a two-stage analysis: identifying the regulated sector and then mapping the data type to the applicable statutory definition.

Stage 1 — Sector identification. The entity type determines which federal statute applies. A hospital network falls under HIPAA. A mortgage lender falls under GLBA and potentially FCRA. A public school falls under FERPA. A mobile app directed at children falls under COPPA. Sector overlap is common — a telehealth company that processes payment cards is simultaneously subject to HIPAA, GLBA, and PCI DSS, each imposing distinct technical and administrative controls.

Stage 2 — Data type mapping. Within a regulated sector, not all personal data carries the same protection level. Under HIPAA, PHI is defined as individually identifiable health information tied to past, present, or future physical or mental health conditions (45 CFR § 160.103). De-identified data, meeting the Safe Harbor or Expert Determination standards under 45 CFR § 164.514, falls outside PHI protections entirely. This contrast between identifiable and de-identified data is a foundational boundary across nearly every US framework.

State comprehensive privacy laws add a third layer. Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA, Cal. Civ. Code § 1798.121), a distinct category of "sensitive personal information" includes Social Security numbers, precise geolocation, racial or ethnic origin, religious beliefs, union membership, and contents of communications. The CPRA grants consumers a right to limit the use of this category, separate from general opt-out rights.

Organizations navigating multi-framework environments can consult the for orientation on how the professional service landscape is structured around these compliance obligations.

Common scenarios

Healthcare technology vendors. A software-as-a-service platform processing clinical notes for hospital systems handles PHI under HIPAA and must execute Business Associate Agreements (45 CFR § 164.308) with each covered entity. If that same platform incorporates biometric authentication, BIPA obligations may attach for Illinois users.

Retail and e-commerce. A retailer collecting payment card data processes PCI DSS-scoped cardholder data. If the retailer also maintains a loyalty program capturing purchase history tied to precise geolocation, California and Colorado state privacy laws impose additional obligations on that location data as a sensitive category.

Employment records. An employer running background checks pulls consumer reports under FCRA. If pre-employment screening includes genetic testing, GINA prohibitions apply. Mental health accommodations documented in HR files may trigger state-level mental health confidentiality protections separate from HIPAA, because HIPAA does not cover employer-maintained employment records even when those records contain health information.

Educational platforms. An ed-tech company licensed to a school district holds student data under FERPA through the school's authority, not a direct relationship with students. If the platform also collects biometric data for attendance tracking, state biometric laws operate independently of FERPA.

Decision boundaries

The critical classification questions that determine which framework — or frameworks — apply:

• Who holds the data? HIPAA follows the covered entity and business associate chain, not the data type in isolation. The same diagnosis code is PHI in a hospital's EHR and ordinary personal data in a journalist's notes.
• Who is the data subject? COPPA activates on age (under 13). FERPA activates on student enrollment status. GINA activates on the employment relationship.
• What is the data's functional form? De-identified data under HIPAA's 18-identifier Safe Harbor standard (45 CFR § 164.514(b)) exits PHI classification. Re-identification, even partial, restores full PHI status and associated breach notification obligations under the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).
• What state law applies? Illinois BIPA imposes a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional violation (740 ILCS 14/20), making it materially more aggressive than federal equivalents. California CPRA's sensitive personal information regime applies to businesses meeting threshold criteria: annual gross revenues exceeding $25 million, processing data of 100,000 or more California consumers, or deriving 50% or more of revenues from selling personal information (Cal. Civ. Code § 1798.140(d)).
• Does the data cross sector lines? A mental health app processing payment data and using biometric login simultaneously triggers HIPAA (if connected to a covered entity), PCI DSS, and state biometric law — three separate compliance tracks with non-identical breach reporting timelines and notification content requirements.

Professionals assessing classification boundaries across these frameworks are indexed through the how to use this data protection resource section of this site.