sensitive personal data
The term sensitive personal data means, except as provided in paragraph (b) of this section:
(1) Identifiable data that is:
(i) Maintained or collected by a U.S. business that:
(A) Targets or tailors products or services to any U.S. executive branch agency or military department with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof;
(B) Has maintained or collected any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals at any point over the twelve (12) months preceding the earliest of the completion date, the date of any of the events described in § 800.104(b)(2) through (4) (as applicable), or the date of filing of a written notice or submission of a declaration, unless the U.S. business can demonstrate that at the time of the completion date of the transaction it had or will have neither the capability to maintain nor the capability to collect any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals; or
(C) Has a demonstrated business objective to maintain or collect any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals and such data is an integrated part of the U.S. business's primary products or services; and
(ii) Within any of the following categories:
(A) Financial data that could be used to analyze or determine an individual's financial distress or hardship;
(B) The set of data in a consumer report, as defined under 15 U.S.C. 1681a, unless such data is obtained from a consumer reporting agency for one or more purposes identified in 15 U.S.C. 1681b(a) and such data is not substantially similar to the full contents of a consumer file as defined under 15 U.S.C. 1681a;
(C) The set of data in an application for health insurance, long-term care insurance, professional liability insurance, mortgage insurance, or life insurance;
(D) Data relating to the physical, mental, or psychological health condition of an individual;
(E) Non-public electronic communications, including email, messaging, or chat communications, between or among users of a U.S. business's products or services if a primary purpose of such product or service is to facilitate third-party user communications;
(F) Geolocation data collected using positioning systems, cell phone towers, or WiFi access points such as via a mobile application, vehicle GPS, other onboard mapping tool, or wearable electronic device;
(G) Biometric enrollment data including facial, voice, retina/iris, and palm/fingerprint templates;
(H) Data stored and processed for generating a state or federal government identification card;
(I) Data concerning U.S. Government personnel security clearance status; or
(J) The set of data in an application for a U.S. Government personnel security clearance or an application for employment in a position of public trust; and
(2) The results of an individual's genetic tests, including any related genetic sequencing data, whenever such results constitute identifiable data. Such results shall not include data derived from databases maintained by the U.S. Government and routinely provided to private parties for purposes of research. For purposes of this paragraph, “genetic test” shall have the meaning provided in 42 U.S.C. 300gg–91(d)(17).