Authored by: K Royal, technology columnist for, and vice president, associate general counsel of privacy, and compliance/privacy officer at CellTrust Corp.

This article was published as part of ACC’s “This Week in Privacy” series, a new column for in-house counsel who need advice in the privacy and cybersecurity sectors.

Q: I am confused by the term “sensitive personal data.” Why is a picture of someone considered sensitive personal data?

A: The term “sensitive data” has multiple meanings, which may change depending on the region being considered. After reviewing data laws of 37 countries, I have found that there are some elements that are consistent and some that are not quite as universal. The most common definition across the countries is that included in European Data Protection Directive, which classifies data about “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, health, and sex life” as sensitive data. This will be enhanced under the EU General Data Protection Regulation — adding both genetic and biometric data.

In the United States, you would have to look at federal statutes that deal with privacy, although they do not necessarily define “sensitive data.” These include:

  • Children’s Online Privacy Protection Act (COPPA);
  • Driver’s Privacy Protection Act of 1994 (DPPA);
  • Electronic Communications Privacy Act (ECPA);
  • Fair Credit Reporting Act (FCRA);
  • Fair and Accurate Credit Transactions Act of 2003 (FACTA);
  • Federal Trade Commission (FTC) Act;
  • Family Rights and Privacy Act (FERPA);
  • Gramm-Leach-Bliley Act (GLBA);
  • Health Insurance Portability and Accountability Act (HIPAA);
  • Privacy Act of 1974;
  • Red Flag Rule (Identity Theft Regulation);
  • Video Privacy Protection Act (VPPA); and,
  • Data Breach Notification laws under most US states.

Some countries include in the definition of sensitive data, such as professional or trade associations, age, tax information, and even personality and abnormal addictions.

It is no wonder that this is a confusing term. The critical factor is that when considering whether something is sensitive data or not, remove the lens of whatever country you are wearing and consider the data from the perspective of the country you are considering: Does the person live there? Are they a citizen? Is the data stored there? Is there extraterritoriality?

Back to the original question — how can a picture of a person be considered sensitive personal data? Because an image of a person may provide gender, ethnicity, political or religious beliefs, and other such elements that may fall under the definition of sensitive personal data under rules that apply.

To further reading about the data security and privacy practices of six companies with global operations, download the ACC primer on "Leading Practices in Privacy and Data Security: Compliance Programs Across the Globe". Organizations featured in this primer describe practices and approaches for working through the matrix of varying and changing requirements across multiple jurisdictions, as well as integrating policies and practices with systems and security features.