Bolt Image

What is Personal Information Under Data Privacy Laws

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

October 5, 2022

Try Termly for Free
Personal Information According to Data-Privacy Laws featured image

According to most data privacy laws, personal information is any information that can be used to identify a person.

It can range from basic information, like a person’s name or phone number, to the complex, including biometric data and location tags. But the topic of personal information is complex, and there are a lot of things businesses need to know about it to protect themselves and their users.

This guide will explore the definition of personal information with examples, how various data privacy laws govern it, and what your business can do to protect it.

Table of Contents
  1. What Is Personal Information — or Personal Data?
  2. Types and Examples of Personal Information
  3. How Personal Information Is Defined by Data Privacy Laws
  4. How Businesses Can Protect Personal Information
  5. How To Encourage Users To Protect Their Personal Information
  6. Personal Information FAQ
  7. Summary

What Is Personal Information — or Personal Data?

Personal information (or personal data) is defined as any information relating to a specific person, such as their name, address, IP address, etc.

Businesses need to be aware that varying data privacy laws have their own definitions of personal information.

As a business, you may access or store personal information or personal data across social media, web applications, servers, and more. Therefore, handling personal information properly according to different laws is essential.

What About Personally Identifiable Information?

Personally identifiable information, or PII, was another term for personal information. The term was used most commonly in the U.S. but is being phased out.

Types and Examples of Personal Information

It’s important to consider all the different different types of personal information. The list is long, but it divides into a few separate groups.

Some information, like basic details, is easy to categorize. However, as the list progresses into new types of information, it often gets harder to tell if the information is personal.

Basic Details

Even without considering the digital space, most businesses want — or need — to collect a consumer’s basic personal details.

Basic personal details include:

  • Name
  • Address
  • Phone number
  • Mailing address
  • ZIP code
  • Email address

Each of these may or may not be personal information, depending on how it is collected and paired with other information.

For example, a list of middle names alone means nothing, but those same names paired with first and last names are an example of personal information.

To determine whether the information is personal, the question to ask is: Can this information identify a specific person?

ID Numbers

Many numbers mark people as individuals, from Social Security numbers to customer identification numbers. Anything that identifies you as an individual is part of your personal information.

Some of these ID numbers include:

  • Account numbers
  • Passport number
  • Driver’s license number
  • Insurance policy number
  • Buyer’s club number

Computer and Technical Numbers

In the digital world, a wide range of numbers gets used to identify and mark individuals. This category includes information businesses collect and use to learn more about their consumers and information that consumers themselves give to companies — to create an account, for example.

These numbers include:

  • IP address
  • MAC address
  • Username
  • Password
  • Browsing history
  • Apple ID

Sensitive Information

Sensitive information is a designation sometimes used for data that requires special protection. These protections vary under different laws, so check the definition for each data privacy law you must comply with first.

Sensitive information often includes:

  • Health
  • Race
  • Political views
  • Religion
  • Sex life
  • Sexual orientation
  • Biometrics
  • Genetics
  • Trade union affiliation

Other Types of Personal Information

These lists are not fully inclusive of all types of identifiable information. Every day someone develops an idea that results in new types of information.

Other types of information include:

  • Location-based information
  • Voice commands
  • Info from connected devices
  • Health information
  • Education
  • Criminal or court history
  • Employment records
  • Credit reports

Subjective Data

The information we covered above is objective data, with identifying information that can be combined to learn a lot about a person.

Subjective data, on the other hand, is information that can only tell something about a person if combined and used in very particular ways.

Examples of subjective data include:

  • Notes you took at a meeting
  • A list of the ages of everyone’s kids
  • Email
  • Complaint file

What Is Not Personal Information?

Data has to be tied (or linkable) to a person to be considered personal information.

For example, a phone number alone is not personal information. But the minute context (like a name) is added, it becomes personal information.

As another example, an email address needs to be personal to be considered personal information. If you contact Termly at the basic email — [email protected] — that is not personal info. However, if you email someone individually at the company, it is.

How Personal Information Is Defined by Data Privacy Laws

There are many examples of personal information listed above. However, you must be aware of what laws govern your business and what the definition of personal information is according to those laws.

First check out this table with a brief overview and then keep reading for a more in-depth explanation of each.

Law or Regulation Region Definition of Personal Information
Australian Privacy Principles Australia Any information that can (or reasonably could) identify a living individual
California Consumer Privacy Act (CCPA) California Any information, within reason, that is linked with a distinguishable person or household
California Privacy Rights Act (CPRA) California Added sensitive information to CCPA’s personal information
California Online Privacy Protection Act (CalOPPA) California Specific list of data types (see below)
Consumer Data Protection Act (CDPA) Virginia Information linked or reasonably linkable to an identified or identifiable natural person
Colorado Privacy Act (CPA) Colorado Any information, within reason, that is linked with a distinguishable person. Does not include de-identified data.
General Data Protection Regulation (GDPR) European Union Information that can lead to the identification of a person — i.e., credit card number, email address, name, etc.
Personal Information Protection and Electronic Documents Act (PIPEDA) Canada Information about an identifiable individual

US Federal Law

The United States does not yet have a privacy law that covers the entire country.

Instead, it gives the Federal Trade Commission (FTC) powers to protect customers. However, the FTC does not currently have a single definition of personal information that they use. Expect this to change soon, as bills to establish a federal privacy law are before Congress now.

That being said, some US federal laws do protect certain areas of personal information, including:

  • Children’s Online Privacy Protection Act (COPPA): Personal information collected from or about minors
  • Health Insurance Portability and Accounting Act (HIPAA): Personal health information
  • Gramm Leach Bliley Act (GLBA): Personal banking information
  • Fair Credit Reporting Act (FCRA): Personal credit information

Additionally, several US states have enacted their own data privacy laws, which we will discuss below.

GDPR Definition of Personal Information

The General Data Protection Regulation (GDPR) is the world’s first major privacy law and protects EU residents’ data. This law has provided a model for others to follow.

This GDPR is strict, including not only information that could be used to identify someone but also some pseudonymized information and some cookie identifiers.

The GDPR defines personal information as:

any information relating to an identified or identifiable natural person, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR also adds “special categories” for sensitive information. You cannot process this data by default, however there are several exceptions listed in the law, including explicit consent.

Special categories data includes:

  • Race and ethnic origin
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union memberships
  • Biometric data used to identify an individual
  • Genetic data
  • Health data
  • Data related to sexual preferences, sex life, and/or sexual orientation data.

CCPA Definition of Personal Information

The California Consumer Privacy Act (CCPA) applies to anyone who services residents of California. The CCPA brings California’s law much more in line with the EU’s laws.

The CCPA defines personal information as:

‘Personal information’ means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

This is a broad definition of personal information, and expands the GDPR to cover households as well as individuals.

However, there are types of information that the CCPA considers not personal because they are publicly available, such as:

  • Information from government records
  • Professional licenses
  • Real estate and property records

CPRA Definition of Personal Information

The California Privacy Rights Act (CPRA) amended the CCPA and added a category of sensitive information that requires greater protection.

The CPRA defines sensitive information as:

  • Social security number, driver’s license/ID card, passport number
  • Geolocation
  • Race/ethnicity, religion, philosophies, union membership
  • Financial account numbers, access codes, passwords, and more
  • Contents of message
  • Genetic data

CalOPPA Definition of Personal Information

The California Online Privacy Protection Act (CalOPPA) was an early California law protecting private data. This is where the old term PII, Personally Identifiable Information, was used.

CalOPPA listed the specific data considered personal information under it:

  • First and last name
  • Address
  • Email address
  • Any other information that permits a specific individual to be contacted physically or online
  • Birthdate
  • Height, weight, hair color
  • Phone number
  • Social security number
  • Any other identifying contact details
  • Cookies, or any other information a website collects about its users when it is used in a way that can identify a person

While this law has been superseded by the CCPA and CPRA, this list is a good core of things the courts will consider as personal information. However, courts are likely to include other types of data as personal.

VCDPA (Virginia) Definition of Personal Information

The Virginia Consumer Data Protection Act (VCDPA) definition of personal data is:

any information that is linked or reasonably linkable to an identified or identifiable natural person.

Personal data does not include “de-identified data or publicly available information.” The law does not include examples.

The VCDPA excludes public information and includes sensitive information.

CPA (Colorado) Definition of Personal Information

Under Colorado’s Consumer Privacy Act, personal data means:

(a) information that is linked or reasonably linkable to an identified or identifiable individual, and (b) does not include de-identified data or publicly available information.”

It also excludes data that is kept for employment records and includes a category for sensitive data.

PIPEDA Definition of Personal Information

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s version of the privacy laws. If you market or sell to Canadians, you have to comply with it.

PIPEDA covers a wide amount of information that can be tagged to an individual.

Australian Privacy Principles

Australian law draws inspiration from other laws — especially the GDPR.

How Businesses Can Protect Personal Information

As a business, you can use personal information for safe and legitimate purposes, and collect it in various ways.

Legitimate Reasons to Collect Personal Data How Personal Data Can Be Collected
Marketing Cookies
Fraud prevention and user verification Web forms
Personalized user experience Third-party software

However, it’s crucial to ensure the software you use does not collect users’ information without their express consent or share that information with the software creator and other parties.

Here are a few tips to protect your users’ personal information:

Prioritize Privacy

Ensure your customers and clients know that you take their privacy seriously by making privacy a core part of your business and planning.

Everything you do should center around protecting the privacy of your customers, employees, and the other people you do business with.

Ask yourself: Is there something that could leak out and cause problems?

If so, protect it.

Limit the Data You Collect

Be careful not to collect any more information than you need. If you collect less data, you will be responsible for less data. Everything that’s collected must be protected.

Talk to your web designer about your cookies. Often, cookies take on more information than you really need for functionality.

Limit the Data You Keep

If you keep very little data, there are fewer chances of privacy breaches.

Information may be gathered by a cookie to allow access to your website, but does that cookie need to be kept for future access? It might be easier to collect and discard personal information every time rather than having the computer auto-populate forms for your clients.

Beef Up Your Security

One large risk to your customers is a data breach that exposes all of the information you keep. This can include very private and sensitive information like incomes and credit card numbers.

The best way to protect yourself from a breach is to make sure you are using state-of-the-art security and following modern security practices.

Access Control

Access control limits internal access, making breaches less likely. The fewer employees who have access to or use the data you collect, the fewer weak points you have. Small personal errors can result in privacy breaches that you are responsible for.

Fair Information Practices

Many businesses are seeking instruction and direction about how to best protect the privacy of their customers. One approach to this problem is the Fair Information Practice Principles (FIPPs).

These eight principles create goals for data usage and privacy:

  1. Collection Limitation Principle: Data collection should be lawful and gathered with consent.
  2. Data Quality Principle: Personal data should be relevant and accurate.
  3. Purpose Specification Principle: Specify the purposes for which you use personal data.
  4. Use Limitation Principle: Do not disclose personal data.
  5. Security Safeguards Principle: Always take security safeguards over personal information.
  6. Openness Principle: Businesses and entities should keep their practices as open as possible.
  7. Individual Participation Principle: Individuals should have the right to find out what personal data has been used and to regain control of it.
  8. Accountability Principle: The person in control of the data is responsible.

Encrypted or Pseudonymous Data

People naturally want their online data secure and private.

One key way to do this is to encrypt the data behind security so others cannot read it. Another way is to change the data so it can no longer be tagged to a particular person.

Examples of data like this include:

  • Information with personal identifiers replaced with dummy variables
  • Information sent through encryption processes
  • Information changed to be unidentifiable

How To Encourage Users To Protect Their Personal Information

Here are some tips for how you can encourage your users to protect their own personal information and develop good habits.

Encourage Strong Passwords

A strong password is less likely to be breached. If you use passwords on your site, require users to use a combination of letters, numbers, and special symbols. Long passwords are also better than short ones.

Offer Two-Factor Identification

Two-factor identification backs up passwords with permission from email, text, or an online program. This provides a second lock on personal information and limits access. Encourage your customers to use two-factor identification.

Let Them Choose Not To Share Info

Users should always have the option to say “no” to allowing someone else to collect their information. It’s important to offer users this option, and it’s often required by law — such as the GDPR and CCPA.

Create a Cookies Preference Center

Some cookies you need to keep websites running smoothly, but some are completely unnecessary. Create a cookie preference center and allow your customers to block cookies that they don’t really need, or keep your cookies to a minimum.

Encourage Them to Read Your Policies

Encourage users to read your terms and conditions, privacy policy, cookie policy, and any other legal policy you have. You can do this by placing links to them in prominent areas and touchpoints.

Personal Information FAQ

Here are some of the most commonly asked questions about personal information.

What is the difference between personal information (PI) and personally identifiable information (PII)?

There is no difference. PII is an older term that is going out of usage.

What is the difference between personal information and sensitive personal information?

Sensitive personal information is covered by more stringent rules than simple regular personal information and includes:

  • Health
  • Race
  • Political views
  • Religion
  • Sex life
  • Sexual orientation
  • Biometrics
  • Genetics
  • Trade union affiliation

How do I know if I collect personal information?

Talk to your development and marketing teams. It is very likely that your website collects some personal information unless it is a static webpage with no features.

How is personal information used?

Businesses often use personal information to better serve their customers. For example, if a business keeps a customer’s email, they can send them important updates and offers in the future.

How is personal information collected?

People visiting your website may fill in forms and volunteer information, or the cookies you use may collect information about users. Additionally, any third-party software you use may collect information about your users.

Why is protecting personal information important?

Protecting personal information is safeguarding from identity theft and other fraud-based crimes.

For example, if someone has a person’s credit card number, they can rack up fraudulent charges. Likewise, if someone has a patient’s healthcare log in, they can discover information that most people would not want shared for general consumption.

Leaking this type of information poses risks to a person’s livelihood and can pose legal implications for your business.

How do I disclose that I collect personal information?

Have an up-to-date website that includes a privacy policy, a cookie policy, and other legal policies. These policies must be easy to see, read, and for customers to find.

What do I need to include in my privacy policy?

A privacy policy shows that you take privacy seriously. It should be clear, easy to read, and not full of legal jargon that’s hard to understand.

A privacy policy needs to include:

  • What data you collect, and the type of data
  • The purpose of your data collection
  • Notice if you sell or share your data with anyone else
  • Links to any other documents you reference

Summary

Businesses keep personal information because it allows them to better sell to their clients and serve their needs.

Some of this information includes things people consider private, like health data, credit card numbers, and passwords. When a business uses this data, they must tell their customers how they use it and follow laws for its allowed and disallowed uses.

Ensure you are transparent in how your business uses personal information and are in compliance with any data privacy laws.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author

Related Articles

Explore more resources Explore more resources