“Personal information” (or data) has been defined by all the major privacy laws around the world. It has been referred to in many ways, but tends to hold the same meaning: personal information is any data that can be used to identify an individual.
Things like names, IP addresses, email, biometric data and more can fall under it. This depends on which law applies to you. 👀 Curious? Keep reading to learn more.
Personal information – or personal data – refers to any data that can be used to identify an individual, either directly or indirectly.
According to the main privacy laws, the definition of personal information includes both personal identifiers (like a name) and technical identifiers (like an IP address), but also incomplete data that, when pieced together, reveal an individual’s identity.
Personal data is protected under various international privacy laws to prevent unauthorized access or misuse.
Privacy laws may define personal information in different ways. Below are examples of personal data in different categories. Each of these types of personal information can be used to identify or profile an individual in various ways.
Not every privacy law includes the same data under its definition of personal information. However, getting a general idea is still helpful — especially if you own a website or an app that processes users’ data.
Basic personal information includes any information that can be used to identify an individual, such as:
You could collect this kind of data from a contact form, or through an order to your e-commerce.
You may think that something like nationality isn’t personal data per se. And you may be right, but you need to remember that context is important. In fact, if you can combine nationality with other data to identify a person, then that data needs to be protected – even if it’s partial.
The identification numbers on personal documents are also considered personal information because, even though they’re random numbers, you can often identify someone by their ID. Some ID numbers that are personal information include:
Technical identifiers include any data relating to a user’s devices and browsing behavior. This data is typically used to create a profile of the user, to provide analytics about a website, or to show personalized ads to the user.
Encrypted data is often considered personal information under privacy laws because encryption or pseudonymization can be reversible – thus allowing the identification of a person. Examples of encrypted data are:
On the other hand, anonymized data isn’t considered personal data because the anonymization, if done properly, cannot be reversed.
Finally, there is a category of personal information that requires a higher level of protection. This is sensitive information, which is information that could potentially expose the user to harm or discrimination if disclosed. Sensitive data includes:
Privacy laws often forbid the processing of sensitive data, or allow it only if certain security measures and conditions are met and only if it’s really necessary to achieve the purposes set out in the privacy policy.
Considering all this, we understand that the definition of personal information does not include data that originally does not refer to an identified or identifiable person.
Examples of non-personal data are:
Some privacy laws make a distinction between private and publicly available information.
Now let’s take a closer look at the main privacy legislations around the world and their definitions of personal information and personal data.
Personal data within the context of the General Data Protection Regulation (GDPR) refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person.
💡 Generally, the wording “personal information” has been used by US lawmakers and “personal data” by the GDPR, but essentially they relate to similar things.
Under the GDPR, examples of personal data include (but are not limited to):
Examples of non-personal data include anonymized data, company registration numbers, and generic company email.
👉 More information in our GDPR guide.
Under the scope of the California Consumer Privacy Act (CPRA (CCPA amendment)), it is defined as: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
All the following laws – Virginia’s Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA) – define personal information similarly.
“Personal information” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal information” does not include de-identified data or publicly available information.
Under US State Laws, examples of personal data can include, but are not limited to:
👉 More information in our Comparison guide.
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information involves “any factual or subjective information, recorded or not, about an identifiable individual”.
Examples under PIPEDA include:
In Switzerland’s FADP, personal data means any information relating to an identified or identifiable natural person. It encompasses a broad range of information about an individual:
👉 More information here: FADP Updates – What You Need to Know.
Personal data within the context of the LGPD is any data that can be linked to an identified or identifiable individual. It is considered to be personal data any data that relates to an identified or identifiable individual, even partial data.
👉 Read more here: What is LGPD and how do you become compliant?.
According to the Australian Privacy Act and 13 Privacy Principles (APPs), it means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
The above definition is quite broad, and can include:
👉 More information in our Australian Privacy Laws guide.
If you’re an individual looking for a way to manage your personal data, you need to know that privacy laws give you various rights that allow you to access, review, and delete the data a company has collected about you.
For example, under the EU GDPR, you have, among others:
You can learn more about your rights here.
Search engines, like Google, may collect various pieces of information about you.
To see and manage the information Google has collected about you, you can go to the “Data & Privacy” section of your Google account.
From there, you’ll have a complete overview of the Google services you’re using and the data Google and third-party services are collecting about you. You can also download or delete this data.
If instead you’re looking to remove your personal information from the Search results, you’ll need to fill out the Removal request form. You can find more details in this guide by Google.
If you own a website or an app, and you collect and process personal data, you need to meet specific requirements.
These requirements vary depending on the privacy law that applies to you – you can find out by taking this 1-minute quiz. But one thing you’ll probably need is a privacy policy.
A privacy policy is a document that outlines the data processing activities of your website. In other words, it explains to your users what data you’re collecting about them, why you need this data, and how you’re processing and protecting it.
Moreover, you must take all the necessary security measures to ensure the data you collect is protected from unauthorized access or misuse.
This means:
💡 Please note: this isn’t a comprehensive list of all the requirements that may apply to you. Here below you’ll find some useful resources to help you with your compliance:
iubenda simplifies compliance with personal data processing regulations. Our Privacy and Cookie Policy Generator lets you create a fully customized privacy policy in minutes. Simply click, or let our Site Scanner do the work for you.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.