Sensitive personal information (SPI)
“Sensitive personal information”, abbreviated as SPI, is a category of personal information that increases the risk of harm to an individual in case of unauthorized use or disclosure.
Unlike colloquial terms like sensitive information, SPI is explicitly defined in one of the most prominent privacy laws: the California Privacy Rights Act (CPRA).
The CPRA defines “sensitive personal information” as any non-public personal information that reveals the following about an individual:
- Social security number (SSN)
- Driver’s license number
- Passport number
- Financial account, debit, or credit card number in combination with security codes or credentials required to access funds
- Account credentials
- Racial or ethnic origin
- Religious or philosophical beliefs
- The contents of mail, email, and text messages intended for someone else
- Biometric information used for uniquely identifying an individual
- Genetic data
- Health information
- Information about an individual’s sex life or sexual orientation
- Precise geolocation
- Union membership
According to CPRA, individuals have the right to limit the use and disclosure of SPI to guard against identity theft. They are also entitled to hold businesses accountable for failing to take reasonable measures to protect SPI from hackers and security breaches. Businesses must inform individuals about the types of SPI they collect and the purposes for which it is collected.
SPI under CPRA largely overlaps with the “special categories of personal data” defined by the General Data Protection Regulation (GDPR). GDPR prohibits processing special categories of personal data by default unless specific conditions are met.
Together, CPRA’s “sensitive personal information” and GDPR’s “special categories of personal data” are often colloquially referred to as “sensitive personally identifiable information (SPII).”