Is personally identifiable information (PII) the same as sensitive personal data under the regulations?
“Sensitive personal data” is defined to include ten specified categories of data that may be maintained or collected by U.S. businesses. The categories of data include types of financial, geolocation, and health data, among others. Moreover, a U.S. business that maintains or collects these categories of data on U.S. citizens will only be considered to have sensitive personal data to the extent it (i) targets or tailors products or services to certain populations, including U.S. military members and employees of federal agencies with national security responsibilities, (ii) collects or maintains such data on at least one million individuals, or (iii) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. Genetic test information is also included in the definition regardless of whether it meets (i), (ii), or (iii).