§ 800.241 Sensitive personal data.

(a) The term sensitive personal data means, except as provided in paragraph (b) of this section:

(1) Identifiable data that is:

(i) Maintained or collected by a U.S. business that:

(A) Targets or tailors products or services to any U.S. executive branch agency or military department with intelligence, national security, or homeland security responsibilities, or to personnel and contractors thereof;

(B) Has maintained or collected any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals at any point over the twelve (12) months preceding the earliest of the completion date, the date of any of the events described in § 800.104(b)(2) through (4) (as applicable), or the date of filing of a written notice or submission of a declaration, unless the U.S. business can demonstrate that at the time of the completion date of the transaction it had or will have neither the capability to maintain nor the capability to collect any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals; or

(C) Has a demonstrated business objective to maintain or collect any identifiable data within one or more categories described in paragraph (a)(1)(ii) of this section on greater than one million individuals and such data is an integrated part of the U.S. business's primary products or services; and

(ii) Within any of the following categories:

(A) Financial data that could be used to analyze or determine an individual's financial distress or hardship;

(B) The set of data in a consumer report, as defined under 15 U.S.C. 1681a, unless such data is obtained from a consumer reporting agency for one or more purposes identified in 15 U.S.C. 1681b(a) and such data is not substantially similar to the full contents of a consumer file as defined under 15 U.S.C. 1681a;