Privacy & Information Security Law Blog

On November 12, 2025, the Centre for Information Policy Leadership (“CIPL”) at Hunton published a discussion paper titled “Comparing U.S. State Privacy Laws: Covered and Sensitive Data” (“Discussion Paper”), the latest in its discussion paper series comparing key elements of U.S. state privacy laws.

The concepts of personal data – and the types of personal data categorized as “sensitive” – are foundational elements of U.S. state privacy laws and regulations. However, the criteria for what qualifies as “sensitive” – and the legal consequences that follow – are not always aligned across U.S. state privacy laws. As a result, organizations are tasked with operationalizing varying definitions across a fragmented and inconsistent legal landscape.

The Discussion Paper analyzes the scope, applicability, exemptions and key definitions of “personal data” and “sensitive” data under comprehensive U.S. state privacy laws. It examines the most common approaches, as well as outliers, with a focus on three topics:

1. The concept of personal data (or “personal information”) (including an analysis of exclusions such as “deidentified” and “publicly available” data)
2. The definition of “sensitive data” (or “sensitive personal information”)
3. Relevant exemptions

The patchwork of definitions and classifications of personal data across U.S. state privacy laws has created operational and compliance challenges for organizations that handle diverse types of data across different sectors and jurisdictions. The lack of alignment in legal definitions and obligations complicates organizations' risk assessments, accountability mechanisms and the design of privacy programs, diverting organizations' limited resources away from innovation. For policymakers and organizations, harmonizing the definitions of “personal data” and “sensitive” data, accounting for the context-specific nature of data sensitivity by focusing on intended use, and tying regulatory obligations to the actual risk of harm, should be a central focus. Clear, consistent rules in this space will ensure consumer clarity, support responsible data use, and facilitate the safe development and deployment of emerging technologies, such as artificial intelligence.  

Read the discussion paper HERE.