What is Sensitive Personal Information?

CPRA introduced the concept of sensitive personal information (SPI) as a category requiring additional consumer protections beyond those for general personal information. Consumers have the right to limit a business's use and disclosure of their SPI to purposes necessary for providing the goods or services they requested. Businesses that use or disclose SPI for purposes beyond service delivery must provide a "Limit the Use of My Sensitive Personal Information" link on their website and honor consumer requests to limit use. The processing limitations for SPI are significant: businesses cannot use SPI for profiling, cross-context behavioral advertising, or other secondary purposes without explicit consumer authorization. Organizations must first identify which data elements in their systems qualify as SPI, then implement controls to track and limit processing to permitted purposes, and provide the required opt-out mechanism. The SPI category creates a two-tier system within CCPA — general personal information with opt-out rights for sales and sharing, and sensitive personal information with additional limitations on use. This mirrors the approach taken by GDPR with special category data, though the specific categories and requirements differ.