Most data privacy laws define personal information as any details that can identify a person and can range from basic info, like a person’s name, to intricate details, like biometric data.
But the topic of personal information is complex and varies depending on which laws apply to your business and consumers.
In this guide, I walk you through the definition of personal information, explain how various data privacy laws govern it, and provide tips on what your business can do to protect it.
What Is Personal Information — Or Personal Data?
Personal information (or personal data) is defined as any information relating to a specific person, such as their name, address, IP address, etc.
Be aware that each data privacy law has its own definition of personal information.
As a business, you may access or store personal information or personal data across social media, web applications, servers, and more.
You must handle personal information properly according to applicable laws.
What About Personally Identifiable Information?
Personally identifiable information, or PII, was another term for personal information primarily used in the U.S., but it’s being phased out.
How Personal Information Is Defined by Data Privacy Laws
There are many examples of personal information listed above, but you must know what specific laws govern your business and how they define personal information.
The table below gives a brief overview of some legal definitions of the term, and later, we’ll explain them in more detail.
| Law or Regulation | Region | Definition of Personal Information |
| Australian Privacy Principles (Privacy Act 1988) | Australia | Any information that can (or reasonably could) identify a living individual. |
| California Consumer Privacy Act (CCPA) | California | Any information, within reason, that is linked with a distinguishable person or household. |
| California Privacy Rights Act (CPRA) | California | Added sensitive information to CCPA’s personal information. |
| California Online Privacy Protection Act (CalOPPA) | California | Specific list of data types (see below). |
| Virginia Consumer Data Protection Act (VCDPA) | Virginia | Information linked or reasonably linkable to an identified or identifiable natural person. |
| Colorado Privacy Act (CPA) | Colorado | Any information, within reason, that is linked with a distinguishable person. Does not include de-identified data. |
| Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) | Connecticut | any information that is linked or reasonably linkable to an identified or identifiable individual. Does not include de-identified or publicly available information. |
| General Data Protection Regulation (GDPR) | European Union | Information that can lead to the identification of a person — i.e., credit card number, email address, name, etc. |
| Personal Information Protection and Electronic Documents Act (PIPEDA) | Canada | Information about an identifiable individual. |
US Federal Definition of Personal Information
The United States does not yet have a federal privacy law that covers the entire country — and a possible national US privacy bill is currently inactive in Congress.
But several states have enacted or passed state-level privacy laws.
Otherwise, the Federal Trade Commission (FTC) has the power to protect American consumers but doesn’t have a single definition of personal information they use.
That said, the following US federal laws do protect certain areas of personal information:
- Children’s Online Privacy Protection Act (COPPA): Personal information collected from or about minors
- Health Insurance Portability and Accounting Act (HIPAA): Personal health information
- Gramm Leach Bliley Act (GLBA): Personal banking information
- Fair Credit Reporting Act (FCRA): Personal credit information
GDPR Definition of Personal Information
The General Data Protection Regulation (GDPR) is the world’s first major privacy law and protects EU residents’ data, providing a legal model for other countries to follow.
It has a strict definition of personal data, including information that can identify someone, some pseudonymized information, and some cookie identifiers.
You can read the full definition according to the GDPR here:
Any information relating to an identified or identifiable natural person, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The GDPR also adds “special categories” for sensitive information, which are subject to stricter requirements if you want to collect and process it.
Special categories of sensitive data include:
- Race and ethnic origin
- Religious or philosophical beliefs
- Political opinions
- Trade union memberships
- Biometric data used to identify an individual
- Genetic data
- Health data
- Data related to sexual preferences, sex life, and/or sexual orientation
CCPA Definition of Personal Information
The California Consumer Privacy Act (CCPA) applies to anyone who services residents of California and meets certain thresholds.
It defines personal information as:
Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The CCPA’s definition of personal information expands protections to individuals and households.
However, some details aren’t personal under this law when made publicly available, such as:
- Information from government records
- Professional licenses
- Real estate and property records
CPRA Definition of Personal Information
The California Privacy Rights Act (CPRA) amended the CCPA and added a category of sensitive information that requires greater protection.
The CPRA defines sensitive information as:
- Social security number, driver’s license/ID card, passport number
- Geolocation
- Race/ethnicity, religion, philosophies, union membership
- Financial account numbers, access codes, passwords, and more
- Contents of message
- Genetic data
CalOPPA Definition of Personal Information
The California Online Privacy Protection Act (CalOPPA) was an early California law protecting private data and is where the outdated term PII was originally used.
CalOPPA listed the following specific data as personal information:
- First and last name
- Address
- Email address
- Any other information that permits a specific individual to be contacted physically or online
- Birthdate
- Height, weight, hair color
- Phone number
- Social security number
- Any other identifying contact details
- Cookies, or any other information a website collects about its users when it is used in a way that can identify a person
Today, the CCPA with the CPRA amendments supersede CalOPPA’s definition, but the law provides a good core list of things courts will most likely consider personal information.
However, they’re likely to include other types of data as personal as well.
Virginia CDPA Definition of Personal Information
The Virginia Consumer Data Protection Act (CDPA) definition of personal data is:
Any information that is linked or reasonably linkable to an identified or identifiable natural person.
There is a category of sensitive information protected by this law.
Additionally, personal data does not include “de-identified data or publicly available information,” but the law does not provide any examples.
Colorado CPA Definition of Personal Information
Under Colorado’s Consumer Privacy Act, personal data means:
(a) information that is linked or reasonably linkable to an identified or identifiable individual, and (b) does not include de-identified data or publicly available information.”
It also describes a category of sensitive data but excludes public data and information kept for employment records.
CTDPA Definition of Personal Information
Connecticut’s data privacy law, the CTDPA, defines personal information as any information linked or linkable to an identifiable individual.
It describes a category of sensitive personal information subject to stricter requirements, but the definition excludes publicly available and de-identified data.
How Other US State Laws Define Personal Information
Several other U.S. states have passed data privacy laws that will enter into force over the next few years.
In the table below, you can see how those state laws define personal information.
| U.S. State Data Privacy Law | Definition of Personal Information |
| Delaware Personal Data Privacy Act (DPDPA) | Any information that’s linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information. |
| Florida Data Privacy Bill of Rights (FDBR) | Any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information. |
| Indiana Consumer Data Protection Act (Indiana CDPA) | Information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data, aggregate data, and publicly available information. |
| Iowa Consumer Data Protection Act (Iowa CDPA) | Any information linked or reasonably linkable to an identified or identifiable natural person, excluding de-identified and aggregate data and publicly available information. |
| Montana Consumer Data Privacy Act (MCDPA) | Any information that is linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data and publicly available information. |
| Oregon Data Privacy Act (ODPA) | Data, derived data or a unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers. |
| Tennessee Information Protection Act (TIPA) | Information that is linked or reasonably linkable to an identified or identifiable natural person; and does not include information that is publicly available information or de-identified or aggregated consumer information. |
| Texas Data Privacy and Security Act (TDPSA) | Any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information. |
| Utah Consumer Privacy Act (UCPA) | Information that is linked or reasonably linkable to an identified individual or an identifiable individual, excluding de-identified, aggregate, and publicly available data. |
PIPEDA Definition of Personal Information
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s version of the privacy laws, and if you market or sell to Canadians, you have to comply with it.
PIPEDA considers any factual or subjective details about an identifiable person to be personal information, whether recorded or not.
Australian Privacy Principles
In Australia, the Privacy Act 1988 defines personal information as any information or opinions about a reasonably identifiable individual, drawing inspiration from the GDPR.
Types and Examples of Personal Information
It’s important to consider all types of personal information — this is a long and growing list, but you can divide it into the following groups.
Basic Details
Even without considering the digital space, most businesses want or need to collect a consumer’s basic personal details, which include:
- Name
- Address
- Phone number
- Mailing address
- ZIP code
- Email address
The above examples are considered legally-protected personal information depending on how it’s collected and paired with other data.
A helpful way to determine whether information is personal is to ask yourself: Can this information identify a specific person?
For example, a list of middle names alone means nothing, but those same names paired with first and last names are an example of personal information.
ID Numbers
Many identification (ID) numbers mark people as individuals, from Social Security numbers to customer IDs.
Remember, anything that identifies an individual is considered personal information.
Some of the ID numbers protected by data privacy laws include:
- Account numbers
- Passport number
- Driver’s license number
- Insurance policy number
- Buyer’s club number
- Social Security numbers
Computer and Technical Numbers
In the digital world, many numbers can identify and mark individuals, including information businesses collect and use to learn more about their consumers.
Some details consumers give to companies when creating user accounts also fit under this category; for example:
- IP address
- MAC address
- Username
- Password
- Browsing history
- Apple ID
- Cookie IDs
Sensitive Information
Sensitive information is a designation sometimes used for data that requires special protection under data privacy laws and often includes:
- Health
- Race
- Political views
- Religion
- Sex life
- Sexual orientation
- Biometrics
- Genetics
- Trade union affiliation
The legal requirements for collecting and processing sensitive information vary under different laws, so be aware of which ones apply to your business.
Subjective Data
Most of the information we covered is objective data, which refers to factual, provable details about a person.
Subjective data, on the other hand, refers to someone’s opinions, thoughts, or beliefs and can fall under the protection of data privacy laws, usually as sensitive personal information.
Examples of subjective data can include:
- Notes taken during a meeting
- Complaint logs
- Political, philosophical, and religious beliefs
- Personal opinions or feelings
Other Types of Personal Information
These lists are not fully inclusive of all types of identifiable information, as data privacy laws leave room in their definitions to account for new or developing data types.
Some other possible personal information includes:
- Location-based information
- Voice commands
- Info from connected devices
- Health information
- Education
- Criminal or court history
- Employment records
- Credit reports
What Is Not Personal Information?
Under most data privacy laws, publicly available data is not considered personal information — the GDPR is an exception, which doesn’t differentiate between public and personal data.
Publicly available data includes anything reasonably believed to have been made available to the public from government records or widely distributed media, often including social media.
Data must also be tied or linkable to a person to be considered personal information.
For example, a phone number alone is not personal information, but the minute context is added, like the person’s name, it becomes personal information.
As another example, an email address needs to be personal to be considered personal information. If you contact Termly at the basic email — [email protected] — that is not personal info. However, if you email someone individually at the company, it is.
How Businesses Can Protect Personal Information
As a business, you can use personal information for safe and legitimate purposes, and collect it in various ways.
| Legitimate Reasons to Collect Personal Data | How Personal Data Can Be Collected |
| Marketing | Cookies |
| Fraud prevention and user verification | Web forms |
| Personalized user experience | Third-party software |
However, it’s crucial to ensure the software you use does not collect users’ information without their express consent or share that information with the software creator and other parties.
Here are a few tips to protect your users’ personal information:
Prioritize Privacy
Ensure your customers and clients know that you take their data privacy seriously by making it a core part of your business and planning.
Everything you do should center around protecting the privacy of your customers, employees, and the other people you do business with.
Ask yourself: Is there something that could leak out and cause problems?
If so, protect it.
Limit the Data You Collect
Be careful not to collect more information than you need — not only is this often a legal requirement, but remember, everything you collect must be protected.
If you collect less data, you’re responsible for less data.
Consider talking to your web designer about the cookies your site uses. Cookies count as personal data and sometimes collect more information than you really need for functionality.
Limit the Data You Keep
Data privacy laws require you to only keep data necessary for specific purposes and for as long as it takes to achieve that purpose, so limit how much you store.
By maintaining smaller amounts of data, there are fewer chances of a privacy breach occurring, which is an additional benefit.
Beef up Your Security
One large risk to your customers is a data breach exposing the information you keep, which can include private and sensitive information like income level and credit card numbers.
The best way to protect yourself from a breach is to make sure you are using state-of-the-art security and following modern security practices.
Access Control
Access control limits who on your team can access the data you collect, which helps minimize unauthorized data breaches caused by personal or user error.
The fewer employees who have access to or use the data you collect, the fewer weak points you have.
Fair Information Practices
Businesses seeking instruction and direction about how to best protect the privacy of their customers should consider implementing the Fair Information Practice Principles (FIPPs).
These eight principles create goals for data usage and privacy:
- Collection Limitation Principle: Data collection should be lawful and gathered with consent.
- Data Quality Principle: Personal data should be relevant and accurate.
- Purpose Specification Principle: Specify the purposes for which you use personal data.
- Use Limitation Principle: Do not disclose personal data.
- Security Safeguards Principle: Always implement security safeguards.
- Openness Principle: Businesses and entities should keep their practices as open as possible.
- Individual Participation Principle: Individuals should have the right to find out what personal data has been used and to regain control of it.
- Accountability Principle: The person in control of the data is responsible.
Encrypted or Pseudonymous Data
To help protect user personal data, consider encrypting the data so others cannot read it and changing the information so it can no longer identify a particular person.
Examples of data like this include:
- Information with personal identifiers replaced with dummy variables
- Information sent through encryption processes
- Information changed to be unidentifiable
How To Encourage Users To Protect Their Personal Information
Here are some tips for how you can encourage your users to protect their own personal information and develop good habits.
Encourage Strong Passwords
A strong, complex password is less likely to be breached.
If you use passwords on your site, require users to use a combination of letters, numbers, and special symbols.
Offer Two-Factor Identification
It’s a good idea to encourage your customers to use two-factor identification.
Two-factor identification backs up passwords with permission from email, text, or an online program, acting like a second lock on personal data and limiting access.
Let Them Choose Not To Share Info
Under many data privacy laws, like the CCPA and GDPR, users have the right to object to certain types of data collection, so it’s important to give them this option.
Create a Cookies Preference Center
Some cookies are necessary to keep websites running smoothly, but others are completely unnecessary and often collect personal information.
So, create a cookie preference center and allow your users to block, accept, and customize the cookies your site uses.
Encourage Them to Read Your Policies
Encourage users to read your terms and conditions, privacy policy, cookie policy, and any other legal policy you have.
You can do this by placing links to them in prominent areas and asking them to take an action to express agreement (like selecting an unmarked checkbox).
Personal Information FAQ
Here are some of the most commonly asked questions about personal information.
What is the difference between personal information (PI) and personally identifiable information (PII)?
There is no difference between personal information and PII, but PII is an older term not used as often anymore.
What is the difference between personal information and sensitive personal information?
Sensitive personal information is more vulnerable and is covered by more stringent rules than regular personal information and includes:
- Health
- Race
- Political views
- Religion
- Sex life
- Sexual orientation
- Biometrics
- Genetics
- Trade union affiliation
How do I know if I collect personal information?
To determine if your site collects personal information, perform a privacy audit, talk to your marketing and development teams, and check what cookies your site uses.
How is personal information used?
Businesses often use personal information to better serve their customers and for marketing and research purposes.
For example, if a business keeps a customer’s email, they can send them important updates and offers in the future.
How is personal information collected?
People visiting your website may fill in forms and volunteer information, internet cookies may collect information about users, and some third-party software you use may collect information about your users.
Why is protecting personal information important?
Protecting personal information is one of the most important identity theft protection measures that safeguards user data against fraud-based crimes.
For example, if someone has a person’s credit card number, they can rack up fraudulent charges. Or, if someone has a patient’s healthcare log-in, they can discover information that most people would not want shared for general consumption.
Leaking this type of information poses risks to a person’s livelihood and can pose legal implications for your business.
How do I disclose that I collect personal information?
Have an up-to-date website that includes a privacy and cookie policy that are easy to read and allow users to follow through on their privacy rights.
What do I need to include in my privacy policy?
A privacy policy needs to include:
- What data you collect, and the type of data
- The purpose of your data collection
- Notice if you sell or share your data with anyone else
- Links to any other documents you reference
Summary
Understanding personal information is essential for business owners.
It’s useful data that can help improve the customer experience and strengthen your relationship with consumers.
For this reason, it’s protected by new and existing data privacy laws, and chances are at least one of them applies to your business.
Ensure you’re transparent about how your business uses personal information and are in compliance with the applicable laws and regulations.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
