Product & Team Playbooks

Table of Content

Table of Content

Table of Content

Set up sensitive data protections

Sensitive personal data carries higher risks under GDPR and CPRA, requiring stronger safeguards and stricter limits on processing. Protecting this information reduces legal exposure and demonstrates a strong commitment to user privacy.

Set Up Sensitive Data Protections

Sensitive personal data carries higher risks under GDPR and CPRA, requiring stronger safeguards and stricter limits on processing. Protecting this information reduces legal exposure and demonstrates a strong commitment to user privacy.

What Counts as Sensitive Data

  • GDPR: Health, biometrics, genetics, racial or ethnic origin, political opinions, religious beliefs, sexual orientation.

  • CPRA: Social Security numbers, driver’s license/passport, precise geolocation, financial details, health, biometrics, and contents of communications.

Minimization and Purpose Limitation

  • Collect sensitive data only when absolutely necessary.

  • Clearly state the purpose before collection and avoid secondary uses.

  • Apply age verification where required (minors’ data).

Stronger Security Controls

  • Encrypt sensitive data both in transit and at rest.

  • Apply stricter access controls with MFA and role separation.

  • Mask or pseudonymize data when full details are not required.

Consumer Choice (CPRA)

  • Provide a “Limit the Use of My Sensitive Personal Information” option.

  • Honor requests promptly and log them for compliance.

Example: Payment Processing

A payment processor collects credit card details. Sensitive fields are encrypted with AES-256, access is limited to the billing system, and a CPRA opt-out option is provided for using purchase history in targeted advertising.

Implementing Protections in Practice

Database encryption

-- Encrypt sensitive fields with pgcrypto
UPDATE users
SET ssn_encrypted = pgp_sym_encrypt(ssn, current_setting('app.encryption_key'));

Masking in logs

log.info("User payment attempted", extra={"card_number": "**** **** **** 1234"})

Opt-out toggle for CPRA

<label>
  <input type="checkbox" name="limit_sensitive" checked>
  Limit the Use of My Sensitive Personal Information
</label>

Quick Sensitive Data Checklist

  • Identify sensitive data categories under GDPR and CPRA

  • Minimize collection and avoid unnecessary storage

  • Encrypt, mask, and limit access with strict controls

  • Provide opt-out or limitation options under CPRA

  • Keep audit records of sensitive data processing decisions

Conclusion

Sensitive data protections go beyond standard privacy measures. By minimizing collection, applying advanced safeguards, and honoring consumer limits, companies reduce risk and show customers their most private information is handled with the highest level of care.

Apply privacy in product design

Apply privacy in product design

Apply privacy in product design

Add a Do Not Sell or Share link

Add a Do Not Sell or Share link

Add a Do Not Sell or Share link