Skip to main content
Back to Guides
Compliance5 min read

Sensitive Data Under US State Privacy Laws in 2026

Health data, precise location, and other sensitive categories get special treatment under US state laws, and the rules split between opt-in consent and a right to limit. Here is how to handle them.

US state privacy laws treat some categories of data as more dangerous than the rest, and they attach stricter rules to it. If your site collects or infers anything about a visitor's health, precise location, race, religion, sexual orientation, or immigration status, the ordinary opt-out model may not be enough. Depending on the state, you may need affirmative opt-in consent before you collect it at all.

This guide explains what counts as sensitive data, the two very different consent models states use, and the specific health and location rules that have already produced enforcement.

What counts as sensitive data

The categories are broadly consistent across state laws. Sensitive data usually includes:

  • Racial or ethnic origin, religious beliefs, and philosophical beliefs
  • Mental or physical health diagnosis or condition
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Genetic or biometric data used to identify a person
  • Precise geolocation
  • Personal data collected from a known child

What trips up website operators is that sensitive data can be inferred, not merely collected directly. If your analytics or ad pixels let a third party deduce that a visitor is reading about a specific medical condition, that inference can itself be regulated sensitive data. That was the crux of the Healthline enforcement discussed below.

Two consent models: opt-in versus a right to limit

States handle sensitive data in one of two ways, and the difference is fundamental to how you build your consent flow.

Opt-in consent (the Virginia model, used by most states). Virginia and the laws modeled on it require affirmative opt-in consent before you process sensitive data. This is closer to the European standard. You cannot collect the data first and offer an opt-out later. Colorado, Connecticut, Texas, Oregon, Montana, and most newer laws follow this approach.

Right to limit (the California model). California is the outlier. Instead of requiring opt-in, the CPRA gives consumers a right to limit the use and disclosure of "sensitive personal information" to what's necessary to provide the service. You must offer a "Limit the Use of My Sensitive Personal Information" link (or fold it into a combined "Your Privacy Choices" link). It's an opt-out-style control rather than a gate.

If you operate nationally, the practical answer is usually to default to the stricter opt-in model for sensitive-data processing, because it satisfies both camps.

Precise geolocation has a specific definition

"Precise geolocation" isn't vague. Most state laws define it as data that pinpoints a person within a radius of about 1,750 feet. California's CCPA uses a slightly wider 1,850-foot radius. Either way, the definitions are narrow enough that city- or ZIP-level location generally isn't "precise," but GPS-grade coordinates and many mobile SDK signals are. If you collect precise location, treat it as sensitive and apply the appropriate consent model.

Dedicated consumer health data laws go further

Two states created standalone health-privacy laws that reach well beyond the general statutes, and they apply to ordinary businesses, well beyond HIPAA-covered entities.

Washington's My Health My Data Act (MHMDA). Effective March 31, 2024 for most businesses (June 30, 2024 for small businesses), MHMDA requires a separate consumer health data privacy policy, affirmative consent before collecting consumer health data, and separate written authorization before selling it. It bans geofencing around facilities that provide health care to identify or track consumers. Critically, it includes a private right of action, which lets individuals sue directly rather than leaving enforcement to the AG alone.

Nevada's SB 370. Also effective March 31, 2024, Nevada's law is a close cousin. It doesn't include a private right of action; violations are enforced as deceptive trade practices. Both laws define "consumer health data" broadly enough to capture inferences drawn from non-health data, such as purchases or browsing. See the Orrick analysis for the detailed comparison.

The enforcement lesson: Healthline

In July 2025 the California Attorney General reached a $1.55 million settlement with Healthline, its largest CCPA settlement to date. The state alleged Healthline shared article titles with advertisers that let them infer a reader's likely diagnosis of conditions such as HIV or multiple sclerosis, and kept sharing data for targeted advertising even after users sent a Global Privacy Control opt-out. The case is a clear warning: the mere fact that a visitor is reading a health article, combined with an identifier, can be treated as sensitive data sharing. See the AG's press release for the details.

A second warning: precise location in Texas

Sensitive-data enforcement isn't only a California story. In January 2025 the Texas Attorney General sued Allstate and its subsidiary Arity, alleging they collected precise geolocation data from more than 45 million Americans through software embedded in third-party mobile apps, then used and sold it, without the clear notice and informed consent the Texas Data Privacy and Security Act requires for sensitive data. It was the first enforcement lawsuit brought under a broad state privacy law, and the TDPSA carries penalties of up to $7,500 per violation. The lesson is that mobile SDKs and location-hungry ad partners are exactly the kind of processing regulators are now watching, and precise location gets treated as sensitive across the state laws.

What websites should actually do

  • Gate sensitive-context tracking behind consent. On pages about health, finances, or other sensitive topics, don't fire advertising or analytics pixels that share an identifier until the visitor has consented.
  • Default to opt-in for sensitive categories if you serve visitors nationwide. It's the model that satisfies the most states.
  • Watch the inferences, not the fields alone. You may be processing sensitive data even if you never ask for it directly.
  • Avoid geofencing near health facilities. Washington's ban carries private lawsuits.
  • Offer the California controls if you're in scope there: a way to limit use of sensitive personal information, honored alongside GPC.

For related reading, see our guides on healthcare and HIPAA cookie consent, children's privacy under COPPA, and the complete US state privacy laws guide.

Sensitive Data Under US State Privacy Laws 2026 | CookieBeam | CookieBeam