Thomson Reuters may collect highly sensitive personal information, including health records, biometric data, political views, and criminal history, and states it only does so where legally permitted.
This analysis describes what Thomson Reuters's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Sensitive personal information carries the highest privacy risk and is subject to the strongest legal protections in most jurisdictions; its collection by a data broker and information products company creates heightened exposure for affected individuals.
Interpretive note: The statement does not specify which products or services process which sensitive categories, making it difficult to assess the scope of this processing in practice without further inquiry.
If Thomson Reuters collects sensitive data about you, such as health information, biometric identifiers, or political affiliations, through its products or data broker operations, that data is subject to stricter legal protections but also represents the highest category of privacy risk if mishandled or disclosed.
Cross-platform context
See how other platforms handle Sensitive Personal Information Processing and similar clauses.
Compare across platforms →Monitoring
Thomson Reuters has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may collect and process sensitive categories of personal information, which may include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation, and data relating to criminal convictions or offences. We process such information only where we have a lawful basis to do so under applicable law.— Excerpt from Thomson Reuters's Thomson Reuters Privacy
REGULATORY LANDSCAPE: Sensitive personal information processing engages GDPR Article 9, which requires an explicit legal basis such as explicit consent, vital interests, or public interest for processing, and prohibits processing absent such grounds. CPRA establishes a parallel category of sensitive personal information with associated rights to limit use and disclosure. HIPAA may be relevant if health data relates to covered healthcare information, though Thomson Reuters is generally not a covered entity. Illinois BIPA applies specifically to biometric data collection and has a private right of action. GOVERNANCE EXPOSURE: High. The breadth of sensitive categories listed, combined with Thomson Reuters' data broker operations, creates significant regulatory exposure. Under GDPR, each sensitive category requires separate lawful basis documentation, and Data Protection Impact Assessments are typically required for large-scale processing of special category data. The statement does not specify which products process which sensitive categories, limiting transparency. JURISDICTION FLAGS: EU and EEA jurisdictions create the highest exposure given GDPR Article 9's strict requirements. Illinois BIPA is relevant for any biometric processing and carries statutory damages. California CPRA's sensitive personal information provisions apply to California residents. New York and Virginia also have relevant sensitive data protections. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers whose data processing involves sensitive categories should confirm via DPA that Thomson Reuters does not use sensitive personal data for purposes beyond the contracted service, including AI training. Procurement teams should request a record of processing activities covering sensitive data categories. COMPLIANCE CONSIDERATIONS: Compliance teams should identify which Thomson Reuters products process sensitive personal information, ensure appropriate consent or other GDPR Article 9 grounds are documented, and assess whether DPIAs have been conducted. For Illinois-facing operations involving biometric data, BIPA compliance including written policies, consent, and retention schedules should be verified with Thomson Reuters.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Sensitive personal information carries the highest privacy risk and is subject to the strongest legal protections in most jurisdictions; its collection by a data broker and information products company creates heightened exposure for affected individuals.
If Thomson Reuters collects sensitive data about you, such as health information, biometric identifiers, or political affiliations, through its products or data broker operations, that data is subject to stricter legal protections but also represents the highest category of privacy risk if mishandled or disclosed.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Thomson Reuters.