It’s commonplace for businesses to collect personal data from consumers, but do you know the specific data types you’re actually processing?
Many of these categories fall under legal definitions of personal data or personal information under laws such as the GDPR, CCPA, and other global privacy regulations.
In this guide, I discuss the nine most commonly collected data types and provide insights into what you should know about them to remain on the right side of the law.
What Type of Data is Protected by Privacy Laws?
While the definition of ‘personal data’ changes depending on the privacy law, these pieces of legislation typically collect information that, alone or when combined with other details, can be used to identify an individual or household.
Some laws list specific categories of data, like the California Consumer Privacy Act (CCPA).
Others, like the General Data Protection Regulation (GDPR), are drafted broadly and in a technology-neutral way to ensure it covers almost any info relating to an identifiable person.
Does My Business Collect Any Data Types?
Your business most likely collects one or more different types of data, especially if you do any of the following:
- Sell goods or services online,
- Enable users to create log in accounts,
- Request names and emails to send newsletters or marketing emails,
- Deploy internet cookies on site visitor’s browsers, which qualify as personal data
- Use third-party services like Google Analytics, HubSpot, etc.
You should perform a privacy audit, so you know exactly what data your business collects, where and how it’s collected, and why you’re collecting it.
If the GDPR applies to your business, you must identify a lawful basis for processing.
Under U.S. state laws like the CCPA/CPRA, you must instead provide notice at collection and honor opt-outs, but do not need a lawful basis.
Throughout this audit, you’ll also ensure you’re providing the proper technical and security measures to keep all of the data safe from unauthorized access, leaks, and breaches.
What Are the Most Commonly Collected Data Types?
Now that I’ve reviewed how the collected of personal data is impacted by privacy laws, let’s look at nine of the most commonly collected categories of information.
1. Personally Identifiable Information (PII)
Personal identifiable information or PII is primarily a U.S. legal and regulatory term. Under the GDPR and many international laws, the equivalent concept is simply called ‘personal data.’
PII refers to any information that, alone or combined, can identify an individual.
It is a very commonly collected type of data, and can include details like:
- Names (first and last)
- Email addresses
- Phone numbers
- Home addresses/mailing addresses
This type of information is commonly collected when website visitors fill out their information in a payment portal or create accounts or logins.
Emails and names are often collected in order to send marketing emails or newsletters.
What You Need to Know
PII is almost always protected by privacy laws.
Ensure you’re providing users with appropriate and transparent by keeping your privacy policy and cookie policy properly updated with details about the PII your business collects.
2. Account and Authentication Data
Another very commonly collected type of data is account and authentication data, which can include information such as:
- Usernames
- Passwords
- Security questions and answers
- Login codes
Businesses often ask for these details in order for users to complete sign up forms, or create accounts or logins on websites, apps, or any other platform.
What You Need to Know
Laws like the GDPR and the CCPA protect account details and other similar types of info.
If you process this type of information in any way, include it as a category of data you collect in your privacy policy.
If any authentication cookies are used to store session identifiers and tokens, these details must be included in your cookie policy.
3. Analytics, Engagement Data, and Internet Browsing Information
Many websites collect analytics about their website visitors, which encompasses a lot of details, including browsing habits and information like:
- Page views
- Bounce rates
- Device or browser information
- Geolocation data
- Click through rates
- Time spent on pages
- Social shares
- IP addresses
- Search queries
- Referrer URLs
Most businesses use a third-party service to collect and analyze this information, like Google Analytics, SEMrush, HubSpot etc.
Some analytics and engagement data are considered personal data and are protected by data privacy laws.
In the EU, analytics cookies require prior consent unless they are strictly necessary. This requirement stems from the ePrivacy Directive, not the GDPR.
What You Need To Know
This is a complex category of data because it encompasses a lot of different types of details, much of which fall under the legal definition of personal information.
While not all analytics data can identify an individual (i.e., bounce rates), other details can, and some are even considered a special category of sensitive personal information, which is subject to even stricter legal requirements (i.e., precise geolocation).
Precise geolocation is sensitive under CCPA/CPRA. Under GDPR, it is not automatically special-category data, unless it reveals protected characteristics (e.g. visits to health clinics, religious buildings etc.).
4. Payment Details/Financial Information
Many websites have payment portals that facilitate financial transactions, and these portals typically collect the following types of financial information from users:
- Credit/debit card numbers
- Bank account information
- Billing addresses
It’s common to collect these details to successfully and securely complete payments and transactions between the consumer and your business.
What You Need to Know
This information is protected by most privacy laws, and credit card numbers and account details are considered a special category of sensitive information under laws.
Under the CPRA, credit card numbers and account credentials are classified as sensitive personal information.
Under the GDPR, financial data is personal data but not special-category data. However, controllers must implement heightened security measures because financial data poses a high risk of harm if breached
You disclose to users in your privacy policy that you collect payment details and financial information. If you have this data in your possession and it’s unlawfully breached, privacy laws might hold you financially accountable.
5. Demographic Data
Businesses typically collect some type of demographic data from users, for example:
- Age
- Gender
- Date of birth
- Nationality
You might collect birth dates and demographic data to send promotional materials or coupons, to verify that users signing up for your platform are above a specific age, or to learn more about the culture of your users.
What You Need to Know
Demographic data such as age or gender is personal data under the GDPR and CCPA.
Demographic profiles used for targeted advertising may trigger additional obligations such as opt-outs under the CCPA and other U.S. privacy laws.
Age data relating to minors is subject to stricter requirements (e.g., COPPA in the U.S., GDPR’s heightened protection for children’s data).
6. Customer Support & Communication Data
Many businesses collect information that users voluntarily provide when interacting with customer support or completing forms.
This category can include a wide range of data, such as:
- Support tickets and help desk messages
- Emails sent to customer service
- Chat transcripts and chatbot interactions
- Contact forms
- Product feedback or surveys
- Uploaded files, screenshots, or attachments
- User-generated content (e.g., reviews, comments, or forum messages)
These details are collected when individuals reach out for assistance, request troubleshooting, submit inquiries, or participate in community features or customer satisfaction programs.
What You Need to Know
Customer support and communication data often contains a mixture of personal data, including names, email addresses, device information, and potentially sensitive information if users voluntarily disclose it.
Because of this, laws like the GDPR, CCPA/CPRA, and other global privacy regulations require businesses to:
- Clearly disclose that they collect communication data in their privacy policy,
- Limit access to only those employees or service providers who need it,
- Monitor for the accidental collection of sensitive personal information,
- Ensure that support platforms (e.g., Zendesk, Intercom, HubSpot) are covered by valid data processing agreements,
- Implement appropriate security measures such as encryption and access controls,
- Honor deletion requests and retention limits, since communication logs are often stored longer than necessary.
If any cookies, trackers, or session replay tools are used to collect interaction data (e.g., via live chat widgets), this also must be disclosed in your cookie policy.
7. Location Data
Some businesses might collect location data from users, which could include:
- IP addresses
- GPS coordinates
- Shipping addresses
Businesses might collect this data to send goods to the customer’s preferred location, to improve the user experience, or for targeted marketing purposes.
What You Need to Know
Because this data can identify an individual or household, it’s almost always protected by privacy laws and can only be lawfully collected within their specific boundaries.
Some of these laws, like the CCPA and other U.S. state level legislation, gives individuals the right to opt out of having their data used for targeted advertising.
Under the CPRA, ‘precise geolocation’ is defined as data within a radius of 1,850 feet (approx. 564 meters). This category receives heightened protection.
8. Device Information and Technical Data
Some businesses collect device information and other technical data from users, for example:
- Device type and model
- Operating system
- Browser type
- Cookies and other tracking IDs
This information might be used by businesses looking to refine their products and services, improve customer support options, or even for cybersecurity and other safety purposes.
It can also be used for targeted marketing, advertising, and general analytics.
What You Need to Know
It’s important that you mention all device and technical information your business collects from consumers directly in your privacy policy.
But it’s equally important to inform them about the cookies or trackers used to collect this data.
Many laws, like the GDPR, require you to say how you’re collecting the information from users, and in this case, it might be from placing a cookie on their browser.
It is important to know that IP addresses can be personal data under the GDPR (per CJEU Breyer v. Germany).
Device IDs, advertising IDs, and cookie IDs can also constitute personal data if they can reasonably identify a user or household.
9. Sensitive Personal Information
Some businesses might collect a special category of data known as sensitive personal information, which can include:
- Health information
- Biometric data
- Political opinions
- Religious beliefs
- Race/ethnicity
- Sex/gender
- Sexual orientation
However, the specific definition might change depending on which law applies to your business or protects your consumers.
Under the GDPR, “special categories of personal data” are defined in Article 9 and include health data, biometric data for identification, political opinions, religious or philosophical beliefs, trade-union membership, race/ethnicity, and sexual orientation.
Processing these categories requires a specific Article 9 justification, such as explicit consent, employment law obligations, or substantial public interest.
Under the CPRA (California Privacy Rights Act) and similar U.S. state privacy laws, “sensitive personal information” is a defined category that includes:
- Government identification numbers,
- Account log-in credentials,
- Precise geolocation,
- Racial or ethnic origin,
- Citizenship or immigration status,
- Genetic data, and
- The contents of communications, among others.
Consumers have the right to limit the use and disclosure of this personal data.
It is important not to conflate the GDPR special categories with the CCPA/CPRA sensitive personal information.
The two frameworks use different terminology and impose different obligations, even when the types of data appear similar.
Although the names are similar, the legal requirements, consumer rights, and processing conditions differ significantly across jurisdictions.
There are many different reasons why a business might collect sensitive data.
Some reasons are industry specific, like insurance companies or hospitals collecting and analyzing health data, or GPS and map services collecting geolocation information.
What You Need to Know
Under most privacy laws, categories of sensitive personal data are usually subject to stricter data privacy requirements.
Under the GDPR, processing special-category data requires both a lawful basis under Article 6 and also a specific condition under Article 9.
Under the CPRA, businesses must provide a “Notice of Right to Limit” when using sensitive PI for purposes such as profiling or targeted advertising.
For example, you might need to perform data privacy risk assessments, request opt-in consent from users before collecting it, and present users with very clear privacy notices.
How Termly Helps Businesses Communicate the Types of Data They Collect
If your website collects personal data, Termly is your one-stop shop for privacy compliance.
With a Termly account, you can use tools like our Privacy Policy Generator to easily list any and all categories and types of data necessary.
Our legally backed generator asks simple questions about your business and its data processing activities and includes a list of common categories of data along with an option to fill in your own details.
You can also use Termly’s Website Scanner to verify what cookies your site uses; it then categorizes them and lists them in a unique cookie policy.
It’s fast, easy, and you can sign up for free.
More about the author
Written by Natasha Piirainen
Natasha is a Content Specialist with over 10 years of professional experience in research-driven content development. She graduated from Wheaton College with a degree in English and Philosophy. At Termly, she focuses on data privacy and consent management best practices and is responsible for maintaining and updating comprehensive data privacy materials.
More about the author
Reviewed by Teodor Stanciu, CIPP/E, CIPM Legal Coordinator & DPO
