What is Sensitive Data Under CCPA?

Lawrence Bonk Profile image

Written by:

Updated January 6, 2023

If you are new to online privacy, you may wonder what sensitive data is under the CCPA. Many of the best websites and online shopping platforms have adopted a number of practices that could impact consumer privacy, which is where the CCPA comes in. So what is the CCPA, what is considered sensitive data, and how does this help consumers? Keep reading to find out.


  • CCPA stands for the California Consumer Privacy Act, which was passed in 2018 at the behest of several civil actions.
  • This act protects sensitive information from hackers by mandating that companies inform you of a security breach.
  • Sensitive information in this context includes financial services login credentials, personal data, sexual orientation, ethnic origin, social security numbers, sex life information, and more.

For more information, read up on filing a CCPA data deletion request, what the CPRA considers sensitive personal info, what the CCPA email opt-in process is, and what the CCPA is in general.

Insider Tip

Other states, such as Virginia, have similar regulations on the books beyond California.

What is the CCPA?

CCPA stands for the California Consumer Privacy Act, which is a comprehensive online privacy initiative that primarily benefits California citizens but extends to anyone who uses online services by California-based entities. This act, and the associated regulatory agency, keep an eye on Internet privacy. The act was passed in 2018 and instituted a number of rights for Internet users, such as the right to know about the personal information that is collected and the right to opt-out of the sale of that personal information.

The act also pays special attention to sensitive data as it pertains to security breaches.

What Does CCPA Classify as Sensitive Data?

The CCPA mandates that consumers receive a notification when sensitive data is acquired via a security breach. But what constitutes sensitive data? Let’s take a look.

Personal Information

If hackers snap up your government-issued photo ID, that is considered personal information and falls under the purview of the CCPA. Personal information may also include boilerplate stuff like name, age, address, and phone number, but this depends on the fine print of the service you use. Remember that long terms of service agreement you didn’t read? Some of these contracts force turn your personal information into a free-for-all. If that is the case, then this information would not fall under the CCPA’s mandate.

Financial Information

In nearly all cases, financial information falls under the purview of the CCPA, as leaking this data could cause permanent harm to the consumer. This includes bank login information, such as passwords, financial account details, debit card numbers or credit card numbers, security access codes, and various credentials that allow access to a banking account. It is considered sensitive data if it can be used for identity theft.

STAT: Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers. (source)

Race, Religion, Etc.

A consumer’s race, religious affiliation, gender, and sexuality are all off-limits here and fall under the CCPA’s mandate. In other words, it is illegal for the company not to inform you of the incident if a hacker snaps up any of this information.

CCPA Sensitive Data FAQs

How do the CPRA, CPA, and VCDPA treat sensitive personal information?

This depends on the information itself. For instance, CCPA regulations consider identification cards to be sensitive personal information, but other organizations do not.

How do they measure data sensitivity?

Basically, if the data could ruin a consumer’s life or ruin a commercial entity, then it crosses CCPA regulations and requires legal advice.

Are cookies defined as personal information under the CCPA?

Yes, as cookies collect and process information that can be used to identify a resident. This information includes personal data, such as social security numbers, political opinions, security codes, and various special categories.
Lawrence Bonk Profile image