Like the terms “personal information,” “personally identifiable information,” or “PII,” the terms “sensitive information” and “sensitive personal information” are often left undefined in contracts and treated as if they were terms of art for which there was a single definition.  Because different statutes, regulations, and guidance documents define the terms differently, you could either say that they are not terms of art, or that they are terms of art that are highly dependent upon context.  The following provides an example of one of the most expansive and one of the most narrow definitions of near identical phrases, and illustrates the degree to which the meaning of such terms can differ depending upon context:

European Union General Data Protection Regulation (“GDPR”) definition of “special” data categories

Federal Trade Commission Definition of “Sensitive” Personal Information

Personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership . . . genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation . . . .1

“The Commission defines as sensitive, at a minimum, data about children, financial and health information, Social Security numbers, and certain geolocation data . . .”2

 

Although the examples are from two different legal regimes (i.e., the European Union and the United States), even within a single legal regime, or a single agency within a legal regime, there can be significant discrepancies.

In terms of practical takeaways when you are drafting, reviewing, editing, or negotiating agreements:

  • If an agreement is intended to involve information relating to data subjects in the European Economic Area it is more likely that the agreement will be interpreted against the backdrop of the GDPR and, therefore, that a statement referencing “sensitive information” would be interpreted to include the categories described within the GDPR as “special.”   If the agreement is poorly drafted this can inadvertently put one, or both, parties in breach of the agreement.  For example, broad statements that one party is, or is not, receiving or transmitting, “sensitive information” can easily be inaccurate.
  • If an agreement is intended to involve information only from data subjects in the United States, the term “sensitive information” will most likely be interpreted as including certain specific data fields such as bank account number, but there may be ambiguity about other data fields.
  • In light of the ambiguities surrounding such terms, it is reasonable to object to agreements that do not define the terms, or that use obtuse definitions that escape practical application to contractual terms (g., “sensitive personal information” means any information that is treated as sensitive under any law, rule, or regulation).

1. GDPR, Art. 9(1).
2. FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers at 47 n.214 (Mar. 2012).