The IT Law Wiki



Sensitive personal information is defined by the federal banking regulators as:

a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account.


Sensitive personal information is

(1) personal information that reveals (A) a consumer's social security, driver's license, state identification card, or passport number; (B) a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer's precise geolocation; (D) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer's mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer's genetic data; and
(2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer;
(B) personal information collected and analyzed concerning a consumer's health; or
(C) personal information collected and analyzed concerning a consumer's sex life or sexual orientation. Sensitive personal information that is "publicly available" pursuant to paragraph (2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal information or personal information.[1]
  • Sensitive personal information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.


  1. Cal. Civ. Code § 1798.140(ae).
  2. Federal Information Security and Data Breach Notification Laws, at 2 n.10.

See also[]