StacksVerified U.S. regulatory reference

28 CFR §202.249

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
  1. (a)Definition. The term sensitive personal data means covered personal identifiers, precise geolocation data, biometric identifiers, human `omic data, personal health data, personal financial data, or any combination thereof.
  2. (b)Exclusions. The term sensitive personal data, and each of the categories of sensitive personal data, excludes:
    1. (1)Public or nonpublic data that does not relate to an individual, including such data that meets the definition of a “trade secret” (as defined in 18 U.S.C. 1839(3)) or “proprietary information” (as defined in 50 U.S.C. 1708(d)(7));
    2. (2)Data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (such as court records) or in widely distributed media (such as sources that are generally available to the public through unrestricted and open-access repositories);
    3. (3)Personal communications; and
    4. (4)Information or informational materials and ordinarily associated metadata or metadata reasonably necessary to enable the transmission or dissemination of such information or informational materials.