My Clients Services About Insights Contact

AI Legislation Is Finally Asking the Right Question: What Makes Data “Sensitive”?

· Elliott Friedman

For years, data privacy laws have treated personal information as a broad, largely uniform category.

That approach no longer works.

Artificial intelligence has changed the nature of data itself. It is no longer just what is collected. It is what can be inferred.

And that shift is now showing up in legislation.

Across the United States, both federal proposals and state-level laws are beginning to move away from generic privacy frameworks toward something more nuanced:

A tiered model of data sensitivity based on risk, context, and consequence.

The Old Model: One Definition of “Personal Data”

Historically, privacy laws have drawn a line between:

  • Personal data

  • Sensitive personal data

But even “sensitive” has been inconsistently defined.

In many frameworks, it includes things like:

  • Social Security numbers

  • Financial account information

  • Health records

That model made sense when data was static and siloed.

It breaks down in an AI-driven environment.

Because today:

  • A purchase history can imply medical conditions

  • Location data can reveal religious affiliation or political activity

  • Voice data can be cloned

  • Behavioral patterns can predict decision-making

The sensitivity is no longer just in the data itself.

It is in what the data becomes when processed.

What Lawmakers Are Starting to Recognize

Recent legislative activity—especially at the state level—shows a clear pattern:

Lawmakers are beginning to regulate categories of risk, not just categories of data.

Several trends are emerging.

1. Biometric and Likeness Data Is Becoming Its Own Class

Voice, facial recognition, and other biometric identifiers are being treated differently than traditional personal data.

Why?

Because they are:

  • Persistent (you cannot change your face or voice easily)

  • Replicable (AI can now synthesize them)

  • Identity-defining

Federal proposals around deepfakes and likeness rights reflect this shift.

At the state level, continued movement around facial recognition restrictions reinforces it.

Biometric data is evolving into regulated identity infrastructure.

2. Health Data Is Expanding Beyond HIPAA

Traditional healthcare privacy laws only cover clinical environments.

That boundary is collapsing.

States like Washington have already moved to regulate consumer health data, which includes:

  • Wellness apps

  • Behavioral signals

  • Non-clinical indicators of health status

This matters because AI can derive health insights from:

  • Search behavior

  • Purchase patterns

  • Location history

Health is no longer confined to the healthcare system.

Legislation is catching up.

3. High-Risk Decisioning Is a New Regulatory Anchor

Some of the most important legislative work is not about data at all.

It is about what AI does with data.

States like Colorado have focused on “high-risk” AI systems used in areas like:

  • Employment

  • Housing

  • Lending

  • Insurance

  • Healthcare

  • Education

  • Government services

The logic is straightforward:

If a system can materially affect someone’s life outcomes,
it should be governed differently.

This is a shift from data governance to outcome governance.

4. Context Is Becoming a First-Class Variable

A growing number of proposals differentiate not just by data type, but by context of use.

For example:

  • AI in behavioral health settings

  • AI simulating human relationships (companions)

  • AI interacting with children

These contexts introduce:

  • Power imbalances

  • Psychological influence

  • Increased vulnerability

Which means the same data, used in a different context, may require different rules.

Sensitivity is situational.

5. The Federal vs. State Tension Is Intensifying

One of the most important meta-trends:

States are moving faster than the federal government.

This is creating:

  • Fragmentation

  • Compliance complexity

  • Conflicting definitions of sensitive data

At the same time, federal policymakers are signaling concern about this patchwork and pushing for national standards.

The result:

We are entering a period of parallel regulatory evolution.

The Core Shift: From Data Types to Risk Tiers

The most important takeaway is this:

We are moving from what data is
to what data can do.

A modern framework for AI-era governance likely needs to account for:

  • Identity data (biometric, voice, likeness)

  • Health-adjacent data (inferred or behavioral health signals)

  • Behavioral and psychological data

  • Precise geolocation

  • Children’s data

  • Decision-shaping data (used in consequential systems)

Each of these carries a different risk profile.

Each should be governed accordingly.

What This Means for Businesses Right Now

Most organizations are not structured for this shift.

They still think in terms of:

  • “PII vs non-PII”

  • “HIPAA vs non-HIPAA”

  • “Secure vs not secure”

That is no longer sufficient.

A more durable approach looks like:

  • Mapping data not just by type, but by inference potential

  • Classifying systems by impact on human outcomes

  • Designing controls based on context of use

  • Evaluating whether AI introduces new categories of risk, not just scale

Because regulation is not going to wait for companies to catch up.

Where This Is Headed

The direction is clear.

AI governance will not be built on a single definition of sensitive data.

It will be built on:

  • Layers

  • Context

  • Use cases

  • Consequences

And organizations that understand that early will be in a very different position than those reacting to it later.

Final Thought

A voiceprint is not just data.
A therapy interaction is not just text.
A location ping is not just metadata.
A model output is not just software.

In an AI-driven world, sensitivity is defined by what can be inferred—and what can be done with it.

That is the question legislation is finally starting to answer.