Iubenda logo
Start generating

Documentation

Table of Contents

What is Personal Information Across Major Privacy Laws

“Personal information” (or data) has been defined by all the major privacy laws around the world. It has been referred to in many ways, but tends to hold the same meaning: personal information is any data that can be used to identify an individual.

Things like names, IP addresses, email, biometric data and more can fall under it. This depends on which law applies to you. 👀 Curious? Keep reading to learn more.

personal information

What is Personal Information?

Personal information – or personal data – refers to any data that can be used to identify an individual, either directly or indirectly.

According to the main privacy laws, the definition of personal information includes both personal identifiers (like a name) and technical identifiers (like an IP address), but also incomplete data that, when pieced together, reveal an individual’s identity.

Personal data is protected under various international privacy laws to prevent unauthorized access or misuse.

Examples of Personal Information

Privacy laws may define personal information in different ways. Below are examples of personal data in different categories. Each of these types of personal information can be used to identify or profile an individual in various ways.

Not every privacy law includes the same data under its definition of personal information. However, getting a general idea is still helpful — especially if you own a website or an app that processes users’ data.

1. Basic Personal Information

Basic personal information includes any information that can be used to identify an individual, such as:

  • Full name.
  • Home address.
  • Email address.
  • Phone number.
  • Date of birth.
  • Gender.
  • Nationality.

You could collect this kind of data from a contact form, or through an order to your e-commerce.

You may think that something like nationality isn’t personal data per se. And you may be right, but you need to remember that context is important. In fact, if you can combine nationality with other data to identify a person, then that data needs to be protected – even if it’s partial.

2. ID Numbers

The identification numbers on personal documents are also considered personal information because, even though they’re random numbers, you can often identify someone by their ID. Some ID numbers that are personal information include:

  • National ID number.
  • Driver’s license number.
  • Passport number.
  • Social Security Number (SSN).
  • Taxpayer Identification Number (TIN).
  • Student or employee ID numbers.

3. Technical Identifiers

Technical identifiers include any data relating to a user’s devices and browsing behavior. This data is typically used to create a profile of the user, to provide analytics about a website, or to show personalized ads to the user.

  • IP address.
  • MAC address.
  • Device IDs (e.g., mobile device unique identifier).
  • Browser cookies.
  • Geolocation data.
  • Usernames or account IDs (e.g., online service user accounts).

4. Encrypted Data

Encrypted data is often considered personal information under privacy laws because encryption or pseudonymization can be reversible – thus allowing the identification of a person. Examples of encrypted data are:

  • Hashed passwords.
  • Encrypted emails.
  • Encrypted credit card numbers.
  • Encrypted medical records.
  • Encrypted biometric data (fingerprints, facial recognition templates).

On the other hand, anonymized data isn’t considered personal data because the anonymization, if done properly, cannot be reversed.

5. Sensitive Data

Finally, there is a category of personal information that requires a higher level of protection. This is sensitive information, which is information that could potentially expose the user to harm or discrimination if disclosed. Sensitive data includes:

  • Health records (e.g., medical history, test results).
  • Biometric data (e.g., fingerprints, iris scans).
  • Financial information (e.g., bank account details, credit scores).
  • Racial or ethnic origin.
  • Religious or philosophical beliefs.
  • Sexual orientation.
  • Political opinions.
  • Criminal records or security clearance information.

Privacy laws often forbid the processing of sensitive data, or allow it only if certain security measures and conditions are met and only if it’s really necessary to achieve the purposes set out in the privacy policy.

What is Not Considered Personal Information?

Considering all this, we understand that the definition of personal information does not include data that originally does not refer to an identified or identifiable person.

Examples of non-personal data are:

  • company registration numbers;
  • generic company email addresses, such as info@company.com;
  • anonymized data.

Some privacy laws make a distinction between private and publicly available information.

  • Generally, most U.S. State Laws do not consider publicly available information to be personal information. This means that data sourced from government records, media, or information made public by the individual may not be treated as personal information. However, definitions of what constitutes “publicly available” information vary across states, as you can see from this infographic by GreenbergTraurig. For example, California has a stricter interpretation, particularly regarding internet-sourced data.
  • Instead, the EU Regulation, the GDPR, does not make this distinction and applies the same standards to both private and publicly available information.

What Constitutes Personal Information in All Jurisdictions

Now let’s take a closer look at the main privacy legislations around the world and their definitions of personal information and personal data.

Personal data within the context of the General Data Protection Regulation (GDPR) refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person.

💡 Generally, the wording “personal information” has been used by US lawmakers and “personal data” by the GDPR, but essentially they relate to similar things.

Types of Personal Data

Under the GDPR, examples of personal data include (but are not limited to):

  • names;
  • health, genetic and biometric data;
  • web data such as IP addresses;
  • personal email addresses;
  • political opinions;
  • pseudonymized or encrypted data.

Examples of non-personal data include anonymized data, company registration numbers, and generic company email.

👉 More information in our GDPR guide.

CPRA (CCPA amendment)

Under the scope of the California Consumer Privacy Act (CPRA (CCPA amendment)), it is defined as: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Other US State Laws

All the following laws – Virginia’s Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA) – define personal information similarly.

“Personal information” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal information” does not include de-identified data or publicly available information.

Types of Personal Information

Under US State Laws, examples of personal data can include, but are not limited to:

  • identifiers such as a real name, postal address, IP address, email address, social security number, driver’s license number, passport number;
  • commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • internet activity information, including browsing and search history;
  • biometric information;
  • geolocation data;
  • professional, educational or employment-related information.

👉 More information in our Comparison guide.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), personal information involves “any factual or subjective information, recorded or not, about an identifiable individual”.

Types of Personal Information

Examples under PIPEDA include:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status; and
  • employee files, credit records, loan records, medical records.
💡 The draft of a new Consumer Privacy Protection Act (CPPA) for Canada is on its way. If approved, the CPPA would replace Part I of the PIPEDA. Read more here.

In Switzerland’s FADP, personal data means any information relating to an identified or identifiable natural person. It encompasses a broad range of information about an individual:

  • National identification numbers
  • Contact details
  • Medical information
  • Employment records
  • Religious and philosophical beliefs

👉 More information here: FADP Updates – What You Need to Know.

Personal data within the context of the LGPD is any data that can be linked to an identified or identifiable individual. It is considered to be personal data any data that relates to an identified or identifiable individual, even partial data.

Examples of Personal Data:

  • Names, addresses, and telephone numbers
  • Photos or videos identifying individuals
  • Medical information
  • Employment data
  • Behavioral information collected online

👉 Read more here: What is LGPD and how do you become compliant?.

According to the Australian Privacy Act and 13 Privacy Principles (APPs), it means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

Types of Personal Information

The above definition is quite broad, and can include:

  • IP addresses;
  • Unique Device Identifiers (UDIDs) such as for a mobile phone or tablet;
  • location information may also be covered because it can reveal user activity patterns and habits;
  • other unique identifiers in specific circumstances.

👉 More information in our Australian Privacy Laws guide.

How to Manage Personal Information

If you’re an individual looking for a way to manage your personal data, you need to know that privacy laws give you various rights that allow you to access, review, and delete the data a company has collected about you.

For example, under the EU GDPR, you have, among others:

  • The right of access: you can access your personal information and request details on how it’s been processed.
  • The right of rectification: you can ask to modify your data if it is inaccurate or incomplete.
  • The right to erasure: you can request a business to delete the data they have about you.
  • The right to object: you can object to certain activities in relation to your personal data.

You can learn more about your rights here.

How to Remove Your Information from Google

Search engines, like Google, may collect various pieces of information about you.

To see and manage the information Google has collected about you, you can go to the “Data & Privacy” section of your Google account.

how to remove your information from google

From there, you’ll have a complete overview of the Google services you’re using and the data Google and third-party services are collecting about you. You can also download or delete this data.

If instead you’re looking to remove your personal information from the Search results, you’ll need to fill out the Removal request form. You can find more details in this guide by Google.

How to Manage Personal Information as a Business

If you own a website or an app, and you collect and process personal data, you need to meet specific requirements.

These requirements vary depending on the privacy law that applies to you – you can find out by taking this 1-minute quiz. But one thing you’ll probably need is a privacy policy.

A privacy policy is a document that outlines the data processing activities of your website. In other words, it explains to your users what data you’re collecting about them, why you need this data, and how you’re processing and protecting it.

Moreover, you must take all the necessary security measures to ensure the data you collect is protected from unauthorized access or misuse.

This means:

  • Collect the least amount of data possible, only what you need to achieve the purposes stated in your privacy policy (principle of data minimization).
  • Keep data anonymized or encrypted.
  • Define internal policies for access to sensitive information.
  • Back up the data.
  • Define a plan of action in case of a data breach.

💡 Please note: this isn’t a comprehensive list of all the requirements that may apply to you. Here below you’ll find some useful resources to help you with your compliance:


Create your privacy policy with iubenda

iubenda simplifies compliance with personal data processing regulations. Our Privacy and Cookie Policy Generator lets you create a fully customized privacy policy in minutes. Simply click, or let our Site Scanner do the work for you.

About us

iubenda

Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.

www.iubenda.com