Home · Synthesis · cl-us-state-privacy-spi-sensitive-data

Sensitive personal information — heightened protection across jurisdictions

CCPA CPA CTDPA GDPR ISO 27701 MHMDA MODPA TDPSA VCDPA FDBR OCPA UCPA USP-Other

Primary statement

Sensitive Personal Information (SPI) — including health data, biometrics, racial / ethnic origin, religious beliefs, sexual orientation, precise geolocation, government IDs, financial account data, and children's data — receives heightened protection. The strictest specifications: (1) consent regime — opt-in for processing (most state laws + GDPR Article 9) OR right to limit use to necessary services (CCPA 1798.121); (2) data protection assessment for high-risk SPI processing (MODPA 14-4607); (3) strict minimisation — only data strictly necessary (MODPA, MHMDA); (4) consent records retained for the duration of processing plus retention period (ISO 27701 A.1.2.4); (5) special-category consumer health data regime (MHMDA, Washington) with consent and privacy policy requirements.

Audit-fatigue payoff

A unified sensitive-data programme — SPI inventory + consent management + data protection assessment + strict minimisation + jurisdiction-specific addenda — satisfies sensitive-data obligations across CCPA, VCDPA, CPA, CTDPA, TDPSA, MODPA, MHMDA, GDPR, DPDPA, and ISO 27701 simultaneously. Without unification, sensitive-data processing is governed by patchwork jurisdiction-specific implementations; with unification, the strictest standard (MODPA minimisation + MHMDA consent + GDPR Article 9 prohibition) becomes the operational baseline that covers all narrower regimes.

Strictness matrix

Scope

Scope: special category data under GDPR Article 9 — racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sex life / sexual orientation. US state laws extend with: precise geolocation, government IDs, financial account data, children's data, citizenship / immigration status, mental and physical health diagnoses (MHMDA). The combined scope is the broadest sensitive-data definition across jurisdictions. Ceiling source: gdpr:Art.9 Rationale: GDPR Article 9 has the most enumerated special-category list. US state laws extend with additional categories. The union of GDPR Article 9 + extended US state categories is the audit-defensible scope.

Threshold

Threshold: Maryland MODPA imposes the strictest US minimisation standard — collection limited to what is strictly necessary for the service. For SPI processing without consent: nine permitted purposes under CCPA Regulation § 7027 (perform services, prevent security incidents, debug, etc.). Outside permitted purposes, consent is required. GDPR Article 9: processing prohibited unless one of ten Article 9(2) exceptions applies (explicit consent, employment context, vital interests, etc.). Ceiling source: modpa:MD.14-4604 Rationale: Maryland MODPA strict minimisation + GDPR Article 9 ten-exception structure combine to the strictest threshold. MODPA's "strictly necessary" standard is tighter than other states' "reasonably necessary".

Method

Method: (1) inventory all SPI processing activities; (2) for each activity, determine if a permitted purpose applies (or if consent is required); (3) conduct data protection assessment for high-risk SPI processing — targeted advertising, sale, profiling with foreseeable harm, processing of consumer health data (MHMDA), processing of children's sensitive data; (4) implement strict minimisation per MODPA — only data strictly necessary; (5) consent capture with records retained for the duration of processing + retention period (ISO 27701 A.1.2.4); (6) right-to-limit mechanism per CCPA 1798.121 — consumer can direct the business to limit SPI use to necessary services; (7) MHMDA-specific consent + privacy policy for consumer health data. Ceiling source: modpa:MD.14-4607 Rationale: MODPA § 14-4607 data protection assessment + § 14-4604 strict minimisation combine to the strictest method specification. The data protection assessment trigger is uniquely strict in the US context.

Frequency

Data protection assessment cadence: per processing activity at inception + on material change. SPI inventory refresh: continuous through change management + annual completeness review. Consent records retention: for the duration of processing + retention period (no shorter than 12 months post-withdrawal per ISO 27701 A.1.2.4). Privacy policy update: annual minimum + on material change. Consumer health data programme review (MHMDA): annual. Ceiling source: modpa:MD.14-4607 Rationale: MODPA § 14-4607 sets the strictest data protection assessment cadence. Per-activity at inception + on material change is the audit-defensible reference.

Evidence

Required evidence: (1) SPI inventory with all sensitive data categories enumerated; (2) data protection assessments per high-risk processing activity (MODPA standard); (3) consent records per SPI processing activity (ISO 27701 A.1.2.4); (4) strict-necessity analysis per MODPA showing only necessary data collected; (5) right-to-limit mechanism (CCPA 1798.121) with sample limit requests processed; (6) MHMDA consent + privacy policy for consumer health data (if applicable); (7) jurisdiction-specific addendum library showing per-state / per-jurisdiction compliance posture. Ceiling source: modpa:MD.14-4607 Rationale: MODPA § 14-4607 evidence list combined with ISO 27701 A.1.2.4 consent records + CCPA 1798.121 right-to-limit evidence + MHMDA specifics produces the most comprehensive package. The data protection assessment evidence is uniquely strict in the US context.

Auditor test pattern

Step 1: Inspect the SPI inventory; verify it covers GDPR Article 9 categories + US state-specific extensions (precise geolocation, gov IDs, children's data, etc.). Step 2: Sample 1 high-risk SPI processing activity (e.g., targeted advertising, profiling, sale); verify a data protection assessment exists per MODPA standard. Step 3: For Maryland consumers / processing in scope, verify strict-necessity analysis per collected SPI category. Step 4: Sample 3 SPI consent records and verify they cover specific purposes (not bundled). Step 5: Test the right-to-limit mechanism (CCPA 1798.121) by tracing a sample limit request. Step 6: For consumer health data, verify MHMDA-specific consent and privacy policy. Step 7: Inspect jurisdiction-specific addendum library; verify per-state compliance posture is documented.

Common findings

Common 2024–26 findings: (1) SPI inventory incomplete — children's data, precise geolocation, and government IDs missed; (2) Data protection assessments performed for GDPR Article 35 but not extended to MODPA requirements; (3) Strict-necessity analysis absent — collection driven by "we might use it later"; (4) Consent for SPI bundled with general consent — fails specific-purpose requirement; (5) Right-to-limit mechanism absent or hidden in privacy policy; (6) MHMDA programme absent despite processing consumer health data — Washington jurisdiction overlooked; (7) Jurisdiction-specific addenda missing — single global SPI policy applied without state-specific tailoring.