Sensitive Data Categories Under US Law

US law does not apply a single unified definition to "sensitive data." Instead, sensitivity tiers and treatment obligations emerge from a patchwork of federal statutes, sector-specific regulations, and a growing body of state privacy laws — each establishing distinct categories, handlers, and consequences for mishandling. Understanding how these categories are classified, which regulatory bodies enforce them, and where classification boundaries overlap is essential for compliance professionals, legal teams, and researchers operating across healthcare, finance, education, and consumer sectors.

Definition and scope

Sensitive data categories are legally defined subsets of personal information that attract heightened protection obligations — typically stricter consent requirements, narrower disclosure permissions, mandatory safeguards, and elevated penalties for breach. The Federal Trade Commission, the Department of Health and Human Services, and the Consumer Financial Protection Bureau each govern distinct sensitive data domains under separate statutory frameworks.

At the federal level, at least five major category clusters carry explicit heightened treatment:

  1. Protected health information (PHI) — individually identifiable health data governed by HIPAA (45 CFR Parts 160 and 164). Covers diagnoses, treatment records, insurance identifiers, and any information linkable to a patient's physical or mental condition. See HIPAA Data Protection Requirements for the full regulatory scope.
  2. Financial account and consumer credit data — governed by the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. § 6801 et seq.) and the Fair Credit Reporting Act (FCRA, 15 U.S.C. § 1681 et seq.). Covered categories include account numbers, credit scores, transaction histories, and income data collected by financial institutions. The Gramm-Leach-Bliley Financial Data reference page describes safeguard rule obligations.
  3. Children's personal information — any data collected from children under age 13, governed by COPPA (15 U.S.C. § 6501 et seq.) and enforced by the FTC. COPPA Children's Data Protection covers verifiable parental consent requirements.
  4. Educational records — student records containing directly identifiable information, protected under FERPA (20 U.S.C. § 1232g). Covered institutions must restrict disclosure to non-consensual third parties, with exceptions narrowly defined in the statute.
  5. Biometric identifiers — fingerprints, retinal scans, voiceprints, facial geometry, and similar physiological data. No single federal statute governs all biometric data; state laws, notably Illinois BIPA (740 ILCS 14), Texas CUBI (Tex. Bus. & Com. Code § 503.001), and Washington's My Health MY Data Act (2023), establish sector-specific obligations. See Biometric Data Protection Laws for a cross-jurisdictional comparison.

State comprehensive privacy laws — including the California Privacy Rights Act (CPRA), Colorado Privacy Act, and Virginia Consumer Data Protection Act — have further expanded sensitive category definitions to include precise geolocation, racial and ethnic origin, sexual orientation, religious beliefs, mental health data, and immigration status. The State Data Privacy Laws Comparison page maps these state-level expansions.

How it works

Sensitive data classification functions as a trigger mechanism. Once data is classified into a regulated category, a discrete set of legal obligations activates:

  1. Identification and inventory — The organization determines whether collected data falls within a statutory definition. PHI is identified against the 18 HIPAA Safe Harbor identifiers (45 CFR § 164.514(b)(2)). GLBA-covered data is identified by type of institution and data relationship.
  2. Consent or authorization — Most sensitive categories require affirmative authorization prior to collection or disclosure. HIPAA requires a signed authorization for non-treatment purposes; COPPA requires verifiable parental consent; Illinois BIPA requires written informed consent before biometric collection.
  3. Safeguard implementation — Covered entities must implement technical and administrative controls proportional to the data's sensitivity. The NIST Privacy Framework (NIST IR 8062) and the FTC's Safeguards Rule (16 CFR Part 314) provide operational standards. Data Encryption Standards Compliance describes applicable technical controls.
  4. Breach notification — Unauthorized access to sensitive categories triggers notification timelines that differ by statute. HIPAA mandates notification within 60 days of discovery; GLBA's updated Safeguards Rule (effective 2023) requires notification to the FTC within 30 days when 500 or more customers are affected (FTC Safeguards Rule Notification Requirement). Data Breach Notification Requirements covers the full matrix.
  5. Retention and disposal — Sensitive data must be retained for minimum statutory periods and then securely destroyed. HIPAA requires medical records retention for 6 years from creation or last effective date (45 CFR § 164.530(j)).

Common scenarios

Healthcare provider — inadvertent PHI disclosure: A hospital transmits patient discharge summaries to a third-party analytics vendor without a HIPAA-compliant Business Associate Agreement (BAA). This constitutes an unauthorized disclosure of PHI, triggering HHS Office for Civil Rights investigation and civil monetary penalties that range from $100 to $50,000 per violation depending on culpability tier (HHS OCR HIPAA Enforcement).

Fintech application — children's financial data: A mobile banking app directed at minors collects payment card data and browsing behavior. This data intersects both COPPA (children under 13) and GLBA (financial data), requiring dual compliance — a scenario where the stricter standard governs each element. The CCPA/CPRA Compliance Reference page addresses California's parallel sensitive data opt-out requirements.

Employer — biometric time-tracking: A manufacturing facility installs fingerprint-based time clocks across facilities in Illinois, Texas, and Washington. Illinois BIPA mandates a written policy, informed consent from each employee, and a retention schedule — with a private right of action carrying statutory damages of $1,000 to $5,000 per violation (740 ILCS 14/20). Texas and Washington impose similar but not identical collection consent requirements.

Marketing firm — geolocation data: A company aggregates precise GPS coordinates from a consumer app to build targeted advertising profiles. Under the CPRA, precise geolocation is a sensitive category requiring opt-in consent rather than opt-out. The Data Minimization Principles page covers purpose limitation standards applicable to this data type.

Decision boundaries

The most operationally significant classification questions arise at the edges of statutory definitions:

De-identified vs. pseudonymized data: HIPAA recognizes two de-identification methods — Safe Harbor (removing 18 specified identifiers per 45 CFR § 164.514(b)) and Expert Determination. Data that meets either standard is no longer PHI and loses HIPAA protection obligations. However, CPRA treats pseudonymized data differently — it remains personal information unless the pseudonymization is combined with additional technical safeguards that prevent re-linkage.

Employee vs. consumer data: Most federal sensitive data statutes were drafted for consumer or patient contexts. Employee health data collected through an employer-sponsored health plan is PHI; employee health data collected through a general wellness questionnaire may fall outside HIPAA but within state employee privacy statutes. Employee Data Privacy Protections addresses this boundary in detail.

Aggregate vs. individual-level data: Aggregate statistics derived from sensitive categories are generally not regulated as sensitive data. The operative test across HIPAA, GLBA, and state frameworks is whether the data can be linked, directly or indirectly, to a specific individual. The Personally Identifiable Information Definitions page documents how federal agencies apply linkability tests.

Overlapping state and federal jurisdiction: When state law provides greater protections than federal law, the stricter standard typically controls. Illinois BIPA, for example, imposes obligations on biometric data that exceed any current federal requirement. Where a federal statute contains an express preemption clause (as COPPA does at 15 U.S.C. § 6502(d)), inconsistent state law is displaced — but state laws that provide stronger protections may survive preemption analysis depending on circuit interpretation.

References

📜 11 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator