These are the most sensitive categories of personal data and their collection by any entity, particularly a data broker that has experienced significant data breaches historically, creates meaningful risk if data is misused or exposed.
These categories of data carry the highest privacy risk; their exposure in a data breach or unauthorized sharing can cause significant harm including identity theft, discrimination, and financial loss.
Gusto
· Gusto Privacy Policy
This data is among the most sensitive a company can hold; unauthorized exposure could enable identity theft, financial fraud, or discrimination.
The collection of sensitive personal information categories including financial account identifiers and government-issued IDs creates heightened obligations under CPRA and analogous state statutes, and the right to limit use means consumers can restrict Walmart from using this data for purposes beyond the immediate service transaction.
This is among the most sensitive category of personal data under both GDPR and US state privacy laws, and its collection on a professional networking and job platform creates meaningful risk if data is misused or inadvertently disclosed to employers.
Sensitive personal information categories carry heightened regulatory protection under multiple state laws, and the phrase 'as otherwise permitted by applicable law' leaves the scope of permitted uses subject to evolving legal standards.
Ford
· Ford Privacy Policy
Sensitive personal information including precise geolocation and biometrics carries heightened privacy risks and is subject to special protections under California law; consumers have the right to limit how Ford uses this data category.
Sensitive personal information is subject to the strongest legal protections under state privacy laws, and its collection by a retail company is noteworthy given the breadth of categories disclosed.
The CPRA established specific rights for consumers to limit the use and disclosure of sensitive personal information; the policy's disclosure of sensitive data categories triggers those rights for California residents and creates heightened compliance obligations for Walmart's health and pharmacy data practices.
Users of AI chat platforms commonly share personal details in the course of conversation, and this provision acknowledges that sensitive categories of data may be collected through those interactions, with the policy's primary protection being an advisory warning rather than a technical or contractual restriction on collection.
Sensitive personal information carries the highest privacy risk and is subject to the strongest legal protections in most jurisdictions; its collection by a data broker and information products company creates heightened exposure for affected individuals.
Under CPRA, sensitive personal information is subject to heightened use limitations and consumers have a statutory right to limit its use beyond service delivery. This provision establishes the right but the operational scope of what constitutes service-necessary use for health and pharmacy data in an integrated retail-pharmacy context requires evaluation.
Grindr
· Grindr Privacy Policy
The provision creates a categorical restriction on the use of designated sensitive personal information categories within the entity's AI systems and model training processes, establishing a processing boundary that distinguishes these data elements from other information subject to the privacy policy's AI provisions.
Hinge
· Hinge Privacy Policy
Sexual orientation, health, and religious data are among the highest-risk categories of personal information because their exposure can lead to discrimination or harm in certain contexts, and the consent mechanism here is embedded in the act of voluntarily providing the data rather than through a separate explicit consent step.
Grindr
· Grindr Privacy Policy
Sexual orientation is a special category of personal data under GDPR and equivalent frameworks, requiring the highest level of protection. Using or sharing this data for advertising purposes raises significant legal and ethical concerns.
Many users may not realize that enrollment through an employer or university program means their learning activity is visible to that organization, which could affect employment or academic assessments.
Brex
· Brex Privacy Policy
This provision creates a CCPA/CPRA opt-out obligation and requires Brex to provide and honor a 'Do Not Sell or Share My Personal Information' mechanism; failure to do so creates enforcement exposure with the California Privacy Protection Agency.
Acorns
· Acorns Privacy Policy
This provision authorizes disclosure of personal information, which may include financial account data, device identifiers, and behavioral data, to advertising partners for targeted advertising purposes, a practice that may constitute sale or sharing under CCPA and that engages GLBA's restrictions on sharing nonpublic personal information with nonaffiliated third parties.
The policy states that Cash App may exchange information with credit bureaus, past and present employers, and personal reporting agencies, which creates a bilateral data relationship where information may both be received from and reported to these entities, with potential consequences for credit reports and financial access.
This provision means your financial data can reach companies outside the Bank of America corporate family for marketing purposes unless you actively exercise your opt-out right.
The creation of a named child profile that includes age and birth month, linked to watch and search history, represents a more detailed personal data record than the signed-out state and has direct implications for COPPA compliance given the identifiable nature of the information.
The Singapore regional deployment means that advertiser personal data and campaign data may be transferred outside the EU/EEA and UK, engaging cross-border transfer restrictions under GDPR Chapter V and UK GDPR, and requiring appropriate transfer mechanisms such as Standard Contractual Clauses.
This provision establishes that a US-domiciled entity is the data controller for EU and UK data subjects, which requires legally adequate transfer mechanisms for personal data flowing from the EEA or UK to the United States, and may require evaluation of local representative obligations under GDPR Article 27.
This is one of the most expansive data collection practices in consumer insurance: your real-time behavioral and location data is collected continuously and directly tied to how much you pay for coverage.
Bumble
· Bumble Privacy Policy
Dating app profiles inherently reveal or allow inference of sensitive personal characteristics such as sexual orientation and relationship preferences, which are special categories under GDPR requiring explicit consent and additional legal protections.
Adyen
· Adyen Privacy Policy
Biometric data is among the most sensitive personal data categories and is subject to heightened legal protection under GDPR, CCPA, and state laws like Illinois BIPA; its collection for KYC creates specific legal obligations around consent, retention, and security.
The clause creates a consolidated regulatory framework by extending the account restrictions and operational requirements across multiple account categories, ensuring consistent compliance requirements regardless of whether an account is designated as restricted, prepaid, or sponsored.
This provision clarifies which account classifications are governed by the Sponsored Account provisions, ensuring that minor account holders and their sponsors understand which regulatory and operational requirements apply to their specific account type.
The SCCs provide the contractual transfer mechanism required under GDPR Chapter V, but following the CJEU's Schrems II decision, customers must also conduct Transfer Impact Assessments to verify that supplementary measures are in place where US law may impair the SCCs' protections.
The provision's operational significance lies in its establishment that Xfinity's privacy practices are structured to accommodate multi-jurisdictional privacy requirements. This indicates the policy incorporates state-level legal obligations as distinct components rather than applying uniform terms across all jurisdictions.