Sensitive Personal Information (SPI)
Categories of personal data that receive heightened protection under state privacy laws — including race, health, biometric, genetic, precise geolocation, sexual orientation, immigration status, and children's data — typically requiring opt-in consent.
Overview
Sensitive Personal Information (SPI) — also called "sensitive data" or "sensitive personal data" depending on the statute — is the subset of personal information that US privacy laws treat as higher-risk. Its processing generally requires either affirmative opt-in consent (19 states) or a consumer's affirmative right to limit use (California, which opted for an opt-out model instead).
The category exists because certain kinds of information, once exposed or misused, cause harms that are qualitatively different from ordinary PII: discrimination, loss of liberty, denial of medical care, damage to family relationships. SPI therefore triggers an elevated stack of obligations — opt-in consent, mandatory DPIAs, restricted retention, and in some cases outright prohibitions on sale.
When It Applies
SPI rules engage any time a controller collects, infers, or discloses data in one of the enumerated categories. The consequences:
- Processing cannot begin (in opt-in states) until the consumer has given explicit affirmative consent separate from any bundled ToS acceptance
- A DPIA is effectively mandatory (see DPIA)
- Retention periods must be tied to the specific purpose — indefinite retention is unlikely to be defensible
- In California, the consumer has a standalone "Right to Limit Use and Disclosure of Sensitive Personal Information"
- Breach notification thresholds are lower; some states require notice for any unauthorized exposure of SPI regardless of volume
Variations Across Jurisdictions
The categories are broadly consistent across state laws, with a few notable expansions. From docs/privacy-knowledge/consolidated/DATA_CLASSIFICATION.md Table 2:
| Category | CA | VA/CO/CT/19 others | Notes |
|---|---|---|---|
| Racial or ethnic origin (D10) | Sensitive | Sensitive | Universal |
| Religious beliefs (D11) | Sensitive | Sensitive | Universal |
| Health data (D04) | Sensitive | Sensitive | WA MHMDA and CA CHDPA add sectoral overlays |
| Reproductive health (D05) | Sensitive | Sensitive | Heightened scrutiny post-Dobbs |
| Biometric data (D06) | Sensitive | Sensitive | IL BIPA, TX CUBI, WA HB 1493 add sectoral obligations |
| Genetic data (D07) | Sensitive | Sensitive | Universal |
| Neural data (D08) | Standard | Sensitive in CO and MN only | Emerging category |
| Precise geolocation (D09) | Sensitive | Sensitive; PROHIBITED SALE in Oregon | Usually defined as within 1,750 ft or 1,850 ft radius |
| Sexual orientation / gender identity (D12) | Sensitive | Sensitive; Oregon explicitly lists transgender status | — |
| Immigration status (D13) | Sensitive | Sensitive | Universal |
| Children under 13 (D14) | Sensitive | Sensitive | COPPA overlay applies federally |
| Teens 13-17 (D15) | Standard | Sensitive for 13-16 in CT and OR 2026 emendas | Expanding rapidly |
| Login credentials (D03) | Sensitive | Standard | California is the outlier |
California (CCPA/CPRA) is unique in applying an opt-out model — processing is permitted by default, but the consumer can exercise the Right to Limit at any time. The 19 other comprehensive states require affirmative opt-in before processing begins.
Oregon treats precise geolocation as PROHIBITED SALE — it may be processed with opt-in but never sold regardless of consent.
Maryland (MODPA) applies a stricter data-minimization-first layer: even with consent, SPI collection is limited to what is strictly necessary for the service the consumer requested.
How Inori Handles This
Inori's data surface includes limited SPI exposure — primarily (i) government identifiers that may appear in insurance documents and (ii) precise addresses in commercial-real-estate records.
Grounding in code:
- Classification at ingest —
src/lib/privacy/data-classification.tstags fields per the D01-D21 taxonomy fromdocs/privacy-knowledge/consolidated/DATA_CLASSIFICATION.md. - Opt-in gates —
notification_preferences.analytics_opt_outplus explicit consent modals (src/components/consent/) capture opt-in for any SPI-adjacent processing before it occurs. - GPC respect —
middleware.ts:respectGpchonorsSec-GPC: 1and applies it to the Right to Limit in California. - Retention — SPI fields inherit per-purpose TTLs enforced by
src/app/api/cron/hard-purge-deleted-accountsand documented in the privacy notice v1.2. - Breach routing — the incident playbook treats any SPI exposure as triggering the strictest state threshold in Matrix 6 of COMPLIANCE_MATRIX.md.
Related Concepts
SPI processing almost always requires a DPIA. The opt-out right for profiling based on SPI is described at Profiling Opt-out. California's framework is the outlier — see CCPA/CPRA for the Right to Limit.
See how Inori handles sensitive personal information (spi)
Try our free COI checker first, or start a free trial of the full platform.