Sensitive Data Under State Privacy Laws: What Counts and Why It Matters
Why Sensitive Data Gets Special Treatment
Not all personal data is treated equally under US state privacy laws. A growing category of information — called "sensitive data" or "sensitive personal information" — triggers heightened protections, most notably a requirement for opt-in consent before processing. Unlike standard personal data, where consumers must actively opt out, sensitive data flips the default: businesses cannot collect or use it without first obtaining the consumer's affirmative agreement.
With over 20 states now enforcing comprehensive privacy laws, the definitions of what counts as sensitive data vary meaningfully. If your business operates across state lines, understanding these differences is essential. Use our State Comparison Tool to see how specific states differ side by side.
Common Sensitive Data Categories
Most state privacy laws agree on a core set of sensitive data categories:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnoses
- Sexual orientation or sex life
- Biometric data used for identification
- Genetic data
- Precise geolocation data (typically within 1,750 feet / ~500 meters)
- Data from known children (under 13 in most states, under 16 in some)
Beyond this common core, individual states have added unique categories that expand the definition. These differences can create significant compliance complexity for multi-state businesses.
Key Differences by State
California (CCPA/CPRA)
California has one of the broadest definitions. In addition to the common categories, California treats the following as sensitive personal information: Social Security numbers, driver's license and state ID numbers, passport numbers, financial account information with login credentials, precise geolocation, contents of mail/email/text messages, and union membership. California also allows consumers to limit (not just prohibit) the use of sensitive data.
Maryland (MODPA)
Maryland's MODPA, effective April 1, 2026, is among the strictest. It defines sensitive data to include all common categories plus financial information broadly, government-issued identifiers, and immigration or citizenship status. Maryland also imposes data minimization requirements that go beyond most states — businesses can only collect sensitive data that is "reasonably necessary and proportionate" to the purpose disclosed to consumers.
Connecticut (CTDPA — 2026 Update)
Connecticut's CTDPA, significantly updated by SB 1295 effective July 1, 2026, added neural data as a sensitive data category — making it one of the first states to specifically protect brain-computer interface data. The update also added immigration and citizenship status as sensitive data and expanded protections for minors.
Oregon (OCPA)
Oregon stands out by including transgender and non-binary status and national origin as sensitive data categories. Oregon also applies to nonprofits and has no cure period for violations, making compliance particularly important.
Texas (TDPSA)
Texas takes a broad approach, including financial information in its sensitive data definition. Combined with the TDPSA's lack of revenue or consumer count thresholds, this means virtually any business operating in Texas must handle financial data with opt-in consent requirements.
Virginia (VCDPA)
Virginia follows the common model closely, covering racial origin, religious beliefs, health diagnoses, sexual orientation, biometric data, genetic data, geolocation, citizenship/immigration status, and known child data. Virginia served as the template for many subsequent state laws.
State-by-State Comparison
| Category | CA | VA | CO | CT | TX | OR | MD |
|---|---|---|---|---|---|---|---|
| Racial/Ethnic Origin | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Religious Beliefs | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Health/Mental Diagnoses | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Biometric Data | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Genetic Data | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Precise Geolocation | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Sexual Orientation | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| SSN/Gov ID Numbers | Yes | No | No | No | No | No | Yes |
| Financial Information | Yes* | No | No | No | Yes | No | Yes |
| Neural Data | No | No | No | Yes | No | No | No |
| Transgender Status | No | No | No | No | No | Yes | No |
| National Origin | No | No | No | No | No | Yes | No |
*California includes financial account information with login credentials.
Opt-In vs. Opt-Out: What Businesses Must Do
The critical distinction with sensitive data is the consent model. For standard personal data, most state privacy laws use an opt-out model — consumers must take action to stop processing. For sensitive data, the model flips to opt-in — businesses must obtain affirmative consent before collecting or processing the data.
In practice, this means:
- You need a clear, specific consent mechanism (not buried in a privacy policy)
- The consent must be freely given, informed, and unambiguous
- Pre-checked boxes or bundled consent are generally not sufficient
- Consumers must be able to withdraw consent at any time
- You must document when and how consent was obtained
For guidance on implementing consent mechanisms, see our guide on managing user consent for data privacy compliance. Use our Privacy Law Calculator to determine which state laws apply to your business.
Frequently Asked Questions
Do all state privacy laws require opt-in consent for sensitive data?
Most do, but the implementation varies. California uses a "right to limit" model where consumers can restrict (not just block) the use of sensitive data. Most other states (Virginia, Colorado, Connecticut, Texas, Oregon, etc.) use a pure opt-in model. Utah is an exception — it only requires opt-in consent for sensitive data processing, but its limited definition and high thresholds mean fewer businesses are affected.
Is employee data considered sensitive under these laws?
Most state privacy laws exempt employee data from their scope entirely (data collected in the employment context). California is a notable exception — CCPA covers employee personal information, including any sensitive categories. Maryland's MODPA also does not fully exempt employee data. Always check the specific exemptions for each state.
What happens if I process sensitive data without proper consent?
Penalties vary by state, but violations involving sensitive data are typically treated more seriously. In California, intentional violations involving minors' data can reach $7,988 per violation. In Maryland, penalties range from $10,000 to $25,000 per violation. In Texas, the AG can seek up to $25,000 per violation. These penalties can compound rapidly at scale.
This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.