Every privacy law draws a line between ordinary personal data and a narrower category it considers sensitive. The distinction is not academic. Sensitive data triggers stricter consent rules, tighter security obligations, and significantly higher penalties if something goes wrong. If your website collects health information through a contact form, logs biometric identifiers, or infers political opinions from browsing behaviour, you may already be handling sensitive data without realising it.
What Counts as Personal Data?
Article 4(1) of the GDPR defines personal data as any information relating to an identified or identifiable natural person. The definition is deliberately broad. A name, an email address, an IP address, a customer number, CCTV footage - all of it qualifies. The European Court of Justice has confirmed that even written answers on an exam paper can be personal data if the candidate can be identified.
The CCPA goes wider still. California's law covers information that identifies, relates to, or could reasonably be linked to a consumer or household. That includes browsing history, purchasing patterns, and inferences drawn from other data - categories many businesses would not instinctively call "personal data."
Brazil's LGPD takes a similarly expansive approach, defining personal data as any information related to an identified or identifiable natural person. Given the breadth of modern data collection, virtually any piece of information attached to an individual can qualify.
What Makes Data "Sensitive"?
Sensitive data is a subset of personal data that regulators consider especially prone to misuse. Exposure of this information can lead to discrimination, social stigma, financial harm, or physical danger. That is why every major privacy framework treats it differently.
Under the GDPR, sensitive data is formally called special category data. Article 9 identifies the following types:
| Category | Examples |
|---|---|
| Racial or ethnic origin | Skin colour, nationality, cultural background |
| Political opinions | Party membership, voting history |
| Religious or philosophical beliefs | Faith, spiritual practices, atheism |
| Trade union membership | Union affiliation records |
| Genetic data | DNA test results, hereditary information |
| Biometric data (for identification) | Fingerprints, facial recognition, iris scans |
| Health data | Medical records, prescription history, disability status |
| Sex life or sexual orientation | Relationship data, dating preferences |
The UK GDPR mirrors this list, with criminal conviction data treated as a separate category subject to even tighter controls under the Data Protection Act 2018.
How the CCPA and CPRA Define Sensitive Personal Information
California takes a different approach. The CPRA introduced the concept of "sensitive personal information" (SPI) as a formal legal category, which the original CCPA did not include. The CPRA's list overlaps with the GDPR's special categories but adds several items unique to the American context.
SPI under California law includes government-issued identifiers (Social Security numbers, passport numbers), account login credentials combined with access codes, precise geolocation data, racial or ethnic origin, religious beliefs, union membership, private communications content, genetic data, biometric data, health information, and sexual orientation. Since AB 947 took effect in January 2024, citizenship and immigration status also qualifies.
The enforcement model differs too. Under the GDPR, processing special category data is prohibited by default unless you satisfy one of the conditions in Article 9. Under the CPRA, businesses may process SPI freely unless the consumer exercises their right to limit its use. Businesses must display a "Limit the Use of My Sensitive Personal Information" link on their homepage.
Sensitive Data Under the LGPD
Article 5(II) of Brazil's LGPD defines sensitive personal data as information on racial or ethnic origin, religious conviction, political opinion, trade union or religious/philosophical/political organisation membership, health or sexual life data, and genetic or biometric data when linked to a natural person. The list closely mirrors the GDPR, though the LGPD does not use the term "special category."
Processing sensitive data under the LGPD requires either specific and prominent consent or reliance on one of the narrower legal bases set out in Article 11. Three of the LGPD's ten standard legal bases - legitimate interest, credit protection, and contractual necessity - cannot be used for sensitive data at all. This is a significant departure from the GDPR, where legitimate interest can theoretically apply to any processing if the balancing test is met.
Comparing Definitions Across Frameworks
The categories overlap substantially, but the differences matter for websites operating across multiple jurisdictions.
| Data type | GDPR (Article 9) | CPRA (SPI) | LGPD (Article 5) |
|---|---|---|---|
| Racial or ethnic origin | Yes | Yes | Yes |
| Political opinions | Yes | No | Yes |
| Religious/philosophical beliefs | Yes | Yes | Yes |
| Trade union membership | Yes | Yes | Yes |
| Genetic data | Yes | Yes | Yes |
| Biometric data | Yes | Yes | Yes |
| Health data | Yes | Yes | Yes |
| Sexual orientation | Yes | Yes | Yes |
| Government IDs (SSN, passport) | No | Yes | No |
| Financial account credentials | No | Yes | No |
| Precise geolocation | No | Yes | No |
| Private communications | No | Yes | No |
| Citizenship/immigration status | No | Yes (since 2024) | No |
The CPRA's definition is noticeably broader, pulling in categories that the GDPR and LGPD regulate through other mechanisms (financial data through PSD2 in Europe, for example, or geolocation through the ePrivacy Directive).
Why the Distinction Matters for Your Website
The practical consequences of misclassifying data are severe.
Consent requirements escalate. Under the GDPR, processing special category data generally requires explicit consent - a higher bar than the standard "unambiguous" consent needed for ordinary personal data. Explicit consent means a clear, affirmative statement specifically addressing the sensitive processing. A generic cookie banner that bundles everything into one "Accept All" button is unlikely to meet this standard. Article 7 sets the baseline for valid consent, but Article 9 demands more.
You need a dual legal basis under the GDPR. Controllers must satisfy both a lawful basis under Article 6 and a separate condition under Article 9. This means you cannot simply pick "legitimate interest" and move on. You need two legal justifications working in tandem.
Penalties are steeper. GDPR fines for mishandling sensitive data fall under the higher tier of Article 83(5): up to 20 million euros or 4% of global annual turnover, whichever is greater. By March 2025, cumulative GDPR fines had reached approximately 5.88 billion euros across Europe. In Estonia, the Apotheka loyalty programme operator was fined 3 million euros in 2024 after a breach exposed health-related purchase data of over 750,000 individuals - a case where the sensitive nature of the data directly influenced the penalty.
Security obligations increase. Article 32 of the GDPR requires technical and organisational measures proportionate to the risk. Sensitive data raises the risk floor. Courts have held that failing to implement additional safeguards for special category data can constitute a breach even without an actual data leak. A Data Protection Impact Assessment is typically required before processing sensitive data at scale.
How Cookies and Tracking Can Collect Sensitive Data
Many website owners assume they only collect names and email addresses. In practice, cookies and tracking technologies can inadvertently gather sensitive information.
A health-related website that logs page visits through analytics cookies may be recording that a visitor read articles about HIV treatment or cancer symptoms. A news site's behavioural tracking could reveal political opinions based on article clicks. A dating platform's _fbp or _ga cookies, combined with browsing patterns, could expose sexual orientation.
The French CNIL has been particularly active here, issuing combined fines of over 200 million euros to Google and Meta in 2022 for placing tracking cookies without valid consent. While those cases focused on consent mechanisms rather than sensitive data classification, the principle applies: if your tracking reveals sensitive characteristics, you need a lawful basis under Article 9 as well as Article 6.
Running a cookie scan is the fastest way to identify what data your site actually collects. Automated scanners detect first-party and third-party cookies, helping you map which ones might touch sensitive categories.
Practical Steps to Stay Compliant
Start by auditing the data your website collects. Map every form field, cookie, tracking pixel, and third-party integration against the sensitive data categories for each jurisdiction you serve. Pay particular attention to inferred data - if your analytics platform builds audience segments based on health interests or political leanings, those inferences may qualify as sensitive.
Separate your consent flows. If you process both ordinary personal data and sensitive data, a single "Accept All" toggle is not enough under the GDPR. You need granular consent that specifically addresses the sensitive processing, collected before the data is gathered.
Document your records of processing activities with extra detail for sensitive data. Record the Article 6 and Article 9 conditions you rely on, the security measures in place, and any DPIA conducted.
For websites subject to the CPRA, implement the required homepage link allowing consumers to limit your use of their sensitive personal information. If you serve Brazilian users, remember that legitimate interest cannot justify processing sensitive data under the LGPD's sensitive data rules.
Review your position regularly. California added citizenship and immigration status to its SPI definition as recently as January 2024, and the proposed ePrivacy Regulation could reshape cookie consent requirements across Europe once it passes.
Frequently Asked Questions
Is a person's name considered sensitive personal data?
No. A name is ordinary personal data under the GDPR, CCPA, and LGPD. It becomes sensitive only if it inherently reveals protected characteristics - for example, a name that discloses ethnic origin in a specific context.
Can cookies collect sensitive personal data without my knowledge?
Yes. Analytics and advertising cookies can reveal health conditions, political views, or sexual orientation based on browsing patterns. If your site covers health, politics, or dating content, the tracking data may qualify as sensitive under GDPR Article 9.
What is the difference between special category data and sensitive data?
Under the GDPR, "special category data" is the formal legal term for what most people call sensitive data. The CCPA uses "sensitive personal information" (SPI), and the LGPD uses "sensitive personal data." The categories overlap but are not identical across frameworks.
Do I need explicit consent to process sensitive data under GDPR?
In most cases, yes. Article 9(2)(a) requires explicit consent for sensitive data processing unless another specific exception applies, such as employment law obligations, vital interests, or substantial public interest. Standard consent is not sufficient.
Does the CCPA require opt-in consent for sensitive personal information?
No. The CPRA uses an opt-out model. Businesses may process sensitive personal information by default, but must provide consumers with a mechanism to limit that processing. This is the opposite of the GDPR's opt-in approach.
Can I use legitimate interest to process sensitive data?
Under the GDPR, legitimate interest is technically available but extremely difficult to justify for special category data. Under Brazil's LGPD, it is explicitly prohibited - sensitive data cannot be processed on the basis of legitimate interest at all.
How do I know if my website collects sensitive personal data?
Run a cookie scan to identify all first-party and third-party cookies and trackers on your site. Then review form fields, analytics segments, and any third-party integrations that might capture or infer information falling into sensitive categories.
Get Ahead of the Classification Problem
Misclassifying the data your website handles is one of the most common compliance failures. If you are unsure what your cookies and trackers actually collect, a scan takes less than a minute. Kukie.io identifies, categorises, and documents every cookie on your site - giving you the information you need to set up the right consent flows for both ordinary and sensitive data.
