What is Personal Data?
If you're a business operating online, there's a good chance you collect personal data, or personal information, from your customers. If you do collect personal data, it's crucial you understand:
- What might count as personal information
- How this data must be protected, and
- What information you should provide to customers before collecting their data
Privacy laws are evolving all the time, and you should be aware of how these rules affect your operations. The first step to complying with your legal obligations is understanding precisely what constitutes personal data, so let's consider this question in detail.
From the EU's GDPR to Canada's PIPEDA, privacy laws have one thing in common: They all provide a definition of personal data. This is unsurprising, since the meaning of personal data underpins the very purpose of these privacy rules.
Broadly speaking, personal data is any information a business could use to identify a particular individual. You might also see this information referred to as, for example:
- Personal information
- Personally identifiable information
- Sensitive data
Although it's not essential, such a definition is certainly helpful and can provide a lot of clarity for your users.
Let's look more in detail at exactly what personal data is.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. Examples of Personal Data
- 1.1. Personal Identifiers
- 1.2. Online Identifiers
- 1.3. Sensitive Information
- 1.4. Pseudonymized or Anonymized Data
- 1.5. Legal Definitions of Personal Data From Around the World
- 1.6. EU: General Data Protection Regulation (GDPR)
- 1.7. Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
- 1.8. California: California Consumer Privacy Act (CCPA)
- 1.9. New York: Stop Hacks and Improve Electronic Data Security Act (SHIELD)
- 1.10. China: Personal Information Protection Law (PIPL)
- 1.11. Australia: Australian Privacy Act (APA)
- 2. Personal Data: Conclusion
Examples of Personal Data
There's a huge amount of information that may be considered personal data. Although it's impossible to list every example of personal data, let's go over some examples by breaking personal data into rough categories.
Let's call this first category "personal identifiers." Personal identifiers include details such as:
- Email address
- Home address
- Phone number
- ID numbers e.g. Passport number, Social Security Number
For example, say you have someone's full name or their social media handle. These details can easily be tied to a specific individual, so they count as personal data.
On the other hand, if you just have a list of telephone numbers but no way to attribute the numbers to a particular person, they may not be considered personal data.
We'll cover how various laws define personal data in more detail below. However, if you're unsure whether something is "personal" or not, then treat it as personal data to be safe.
There are some forms of online data which may count as personal data, depending on the context.
Examples of such online identifiers include:
- IP address
- Pixel tag
- Cookie ID
- Online usage data
There's a good chance you collect some technical or online data about your customers. For example, if you run an online store, customers must set up an account to shop with you. Or if you use analytics tools like Google Ads to learn more about your customers, you're collecting data which could be tied to a specific individual.
There are some details which are considered more personal than others.
This type of data is known as "sensitive" information and includes:
- Biometric or bio data
- Healthcare data such as health records
- Sexual orientiation
- Union membership or affiliation
- Racial information
- Genetic data
- Political or religion data
For example, if you have someone's name, you hold their personal data. However, if you also hold data identifying them as a union member, you hold sensitive information.
The distinction matters because some privacy laws require you to treat sensitive data more carefully, and you may also need consent before collecting sensitive data.
Pseudonymized or Anonymized Data
If data is anonymized in such a way that you can't reverse the process, it's no longer considered personal information under many privacy laws.
On the other hand, if you can reverse the process, the data is still considered personal, even if it's currently anonymous. For example, encrypted data can be "unscrambled," and you can use other techniques to reverse pseudonymized data.
If you're in any doubt whether information is truly anonymous, always treat it as personal information and protect it accordingly.
Legal Definitions of Personal Data From Around the World
As noted, every privacy law defines "personal data" differently. Depending on where you operate, you must understand these nuances to ensure you process personal data legally and obtain any relevant consents you need.
To help you understand your obligations, let's consider some of the world's leading privacy laws and how they define personal data, noting any key similarities and differences.
EU: General Data Protection Regulation (GDPR)
The EU's GDPR, which applies to businesses selling goods or services to EU consumers, defines personal data in GDPR Article 4.
"Personal data" under the GDPR is:
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- Location data
- ID number
- Online identifier
The GDPR makes provision for "special categories" of personal data which must be handled with extra care. Under GDPR Article 9, special categories include:
- Health data
- Trade union membership
- Ethnic or racial origin
- Sexual orientation
You can't process these special categories of personal data without express, fully informed, and freely given consent. You must also only process the data for a clear and specific purpose, and only collect so much information is required to fulfill that purpose.
The justifications for collecting special or sensitive data are set out in Article 9.
Under the GDPR, you should still protect pseudonymized data, since the process can be reversed. If data is irreversibly anonymized, then it's no longer considered personal data and isn't subject to the GDPR.
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA regulates how businesses should handle personal data belonging to Canadian consumers.
In Part 1 Section 2, PIPEDA defines personal data very briefly as just any information about a certain individual. The Act sets out a more detailed definition of what constitutes "personal health information," which includes data revealing:
- Physical or mental health status
- Medical or health treatments
- Blood or organ donations
Personal information doesn't include any data collected by a business solely to communicate with its employees e.g. a worker's email address or telephone number. If the information is publicly available, then PIPEDA may not apply, but it's always best to treat any data as personal if you're at all unsure.
California: California Consumer Privacy Act (CCPA)
The CCPA has a fairly broad definition of personal information.
According to Section 1798.140(o)(1), personal data is any information which can reasonably be linked to an individual or their household. The link can be direct or indirect. All that matters is that the link exists:
"Personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(2) "Personal information" does not include publicly available information. For purposes of this paragraph, "publicly available" means information that is lawfully made available from federal, state, or local government records. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge.
(3) "Personal information" does not include consumer information that is deidentified or aggregate consumer information.
The list is non-exhaustive. However, it provides a sense of just how much information may be considered personal.
Personal information under the CCPA does not include:
- Any data which is publicly and lawfully available
- Deidentified data
- Aggregate consumer data
The California Privacy Rights Act (CPRA), which expands upon the CCPA, includes a new definition of "sensitive" data and expands existing privacy rights.
Sensitive information is clearly defined under Section 1798.140(ae)(1):
(ae) "Sensitive personal information" means:
(1) Personal information that reveals:
(A) A consumer's social security, driver's license, state identification card, or passport number.
(B) A consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
(C) A consumer's precise geolocation;
(D) A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership.
(E)The contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication.
(F) A consumer's genetic data.
(2)(A) The processing of biometric information for the purpose of uniquely identifying a consumer.
(B) Personal information collected and analyzed concerning a consumer's health.
(C) Personal information collected and analyzed concerning a consumer's sex life or sexual orientation.
(3) Sensitive personal information that is "publicly available" pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive personal information or personal information.
New York: Stop Hacks and Improve Electronic Data Security Act (SHIELD)
- Personal information
- Private information
"Personal" information is "any information concerning a natural persona which, because of name, number, personal mark, or other identifier, can be used to identify such natural person".
"Private" information is close in equivalence to "sensitive" or "special" information referred to in other acts.
Broadly, there are two types of private information under the SHIELD Act:
- Any username or email address plus security or password information which permits unauthorized access to an account, or
- Personal information combined with a certain "data element" which is either unencrypted or encrypted and compromised
A "data element" can be:
- Social Security Numbers
- Driver's License Numbers
- Non-driver ID Numbers
- Account numbers (either when it's possible to access an account without needing further details, or when the relevant security answers e.g. passcode are also available)
Under the SHIELD Act, no information is private or personal if it's publicly available e.g. census data. It's only private or personal if it's not normally public data.
China: Personal Information Protection Law (PIPL)
PIPL defines personal data, or personal information, in Article 4.
Essentially, "personal information" is any data which can be linked to a specific person. The only exception is anonymized data, which does not count as personal information under PIPL.
Article 28 defines "sensitive information." Under PIPL, sensitive information is any data which could cause a person harm if it falls into the wrong hands.
Examples include biometric data, financial data, and medical information, but this is a non-exhaustive list.
You can't handle sensitive information unless:
- You have someone's informed consent, and
- There's a specific reason you need the data
What's more, any data belonging to under-14s counts as sensitive data, even if it's only "personal" rather than "sensitive" in nature.
Here's an interesting point worth noting: Under PIPL's definition of sensitive information, virtually any data may be considered "sensitive" should it fall into the wrong hands, so it will be interesting to see how the law is enforced and if the definition is refined over time.
In short, though, here's what we can take from all this:
- Only ever collect as much data as you need to fulfill a strict, clearly defined purpose
- Always get consent before collecting any personal data belonging to under-14s
- Get consent before collecting any sensitive data
Australia: Australian Privacy Act (APA)
The Australian Privacy Act (APA) provides an extremely broad definition of personal information. The Act defines personal data in Part II, Division I. The definition is any data which can be used to either:
- Identify an individual, or
- Form an opinion about an individual
In other words, it doesn't matter if the information is true, or if it's recorded in a specific format. Rather, any data is personal if there's a chance it could be used to form an opinion about a certain person.
The Act also provides a "sensitive information" definition. There's a long list of data which might count as sensitive, including a person's criminal record.
Sensitive information also counts as personal data under the Act and includes such things as health information, political views, philosophical beliefs, sexual orientation and such.
Unlike PIPL, there's no mention of minors in the "sensitive information" definition. However, you should still treat data belonging to children with the utmost care.
This is by no means an exhaustive list of all the privacy laws around the world, so always check which laws apply, and what may be considered personal information, before you collect or process personal data in any country.
Personal Data: Conclusion
Personal data, or personal information, is essentially any data that could be used to identify a specific, living individual. Privacy laws protect personal data by ensuring businesses treat it in a certain way. So, you must ensure you know what constitutes personal data under the relevant privacy rules.
How broadly the concept of personal data is interpreted depends on which privacy laws apply. For example, some privacy laws consider anonymized data as private, whereas others are more lenient.
Whichever laws apply, every business collecting personal data must establish safe processes for collecting, processing, using, and sharing this data. Should a business fail to uphold the relevant privacy rights, they could face steep financial penalties.