Websites and mobile apps commonly collect and use something called personal data. What personal data is and how it is defined is dictated by laws. Laws and regulations also dictate how that data may be used and collected.
If your website is going to collect and use personal data (sometimes called personal information), you need to know what is considered personal data, what isn't personal data, and examples of when and how you may collect it.
That's what this article will explore.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Legal Definitions of Personal Data
Unfortunately, there isn't one universal definition of what personal data is. Laws in the U.S. and around the world have described personal data in different ways. Thankfully, while the laws may be different in some ways, the descriptions are generally the same to define personal data as any data that can be used to identify an individual, such as a name, phone number, ID number, screen name, IP address and a variety of other data points.
Let's look at a few laws and their specific definitions.
One of these privacy laws is the GDPR. The GDPR is the EU's primary privacy law that protects the data collection of its citizens. It has one of the strictest privacy rules out there. It's also a good place to start to determine what personal data is. Since the law's enactment in 2018, many countries have reworked their privacy laws to mimic the GDPR.
The GDPR defines personal data as "any information that relates to an identified or identifiable living individual."
Something important under the GDPR and other privacy laws is whether the information collected "relates to" an individual. If the information can be related to or can identify a person, it will almost always be considered personal data.
As the GDPR applies to the data of GDPR citizens, U.S. state laws apply to the collection of each of its own citizens.
For example, California's CalOPPA applies to the collection of California citizens, no matter where the company that collects it is located.
One of the key privacy laws in the U.S. is the CCPA/CPRA, or the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA). Section 1798.140(o)(1) of the CCPA governs how "personal information" is defined, as:
"Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household."
While it mirrors most privacy laws in this regard, its definition is expanded to include information that not only relates or identifies an individual, but is also "reasonably capable of being associated with" a person and even a household. In this regard, the CCPA (CPRA) broadens what can be personal data compared to the earlier laws, such as CalOPPA.
CalOPPA defines "personally identifiable information" very specifically with examples. Instead of a broad definition, CalOPPA offers only seven examples of what this could be:
- First and last name
- Mailing address
- Email address
- Phone number
- Social Security Number
- Identifiers that permit online contacting
New York's SHIELD Act offers an additional definition of personal data to consider in the US. It defines "personal information" as:
"Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person"
With regard to the definition of personal data, remember:
- Not all personal data is the same for every controller or company. It may be considered personal data for one company, but not for another.
- Not every law will apply to every country or company. For example, the CCPA (CPRA) and its rules only apply to companies that make over $25 million a year and collect the personal data of California citizens.
- Personal data may slightly vary not only between countries but also between states. Pay attention to the specific definitions of all the laws you need to comply with because you may be overlooking certain personal data that one law doesn't protect, while another law will protect it.
- While it's important to double check the definitions, the general thing to remember is that personal data is information that relates to or identifies an individual.
What is Considered to be Personal Data?
Similarly with the definitions, what is considered personal data may vary from law to law.
For example, identifiers under the CCPA (CPRA) can include:
- Real name
- Postal address
- Unique personal identifier
- Online identifier
- IP address
- Email address
- Some information that isn't public
- Professional or employment-related data
- Access logs
- Error logs
- Geolocation data
- Browser history
All of these identifiers can relate directly or indirectly to a person. Most laws make sure to include this in their definition of personal data. Today, definitions are broadly construed to encompass as much data as possible.
Examples of Commonly Collected Personal Data: What and How
Below is a list of collection points for personal data and what type of data is typically collected at each point.
Via Sign-up Forms
A common collection point for personal data by a website or app is in sign-up forms. A sign-up form will typically ask for an individual's:
- Email address
- Postal address (sometimes)
- Security questions that relate to the individual
Here's an example of a basic sign-up form that collects an email address:
Some websites will ask for additional personal information at the time of sign up. This additional information can be used for security reasons, help tailor usage of the website, or confirming the age of the user.
Cookies or identifiers are used by websites to help streamline a customer's experience and track site analytics.
Most if not all privacy data laws will have a section dictating how cookies and identifiers are used.
Automatically Collected Data
Many websites automatically collect a variety of data for a number of purposes.
NerdWallet states exactly what type of information that is collected automatically when the site is accessed or an email is opened:
Some websites also collect personal data and store that information in logs, such as access logs, error logs, and security audit logs.
These logs will collect and store data to document and keep track of how many times a customer accesses the website or has encountered errors. This information can be used to help better processes and updates.
Google collects personal data that relates to crash reports and system activity that can be used in logs:
Sensitive data is identifiable information that is more sensitive in nature than just a name or email. It includes but isn't limited to the following:
- Race or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union memberships
- Genetic or biometric data
- Health information
- Sex life or sexual orientation
What isn't Considered to be Personal Data?
There is information that websites collect about their consumers that is not considered personal data, even though it may be similar to some of the examples above.
Data that won't be considered personal data by many laws can be:
Company information. Generally, company-specific information won't be considered personal data.
This may be a company registration number or a company's general email address (i.e., [email protected]).
On the other hand, if it was [email protected], then that email would be personal data.
The GDPR says this about personal data:
"Data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible."
The key to data that has become anonymous is that it is irreversible. If the data can still be used to identify someone at a later date, it then is again considered personal data.
This is different from what is called pseudonymised data. Pseudonymised data is data that has been "de-identified and encrypted" but is still able to be used to identify a person. Even though this information has been encrypted, there are ways that it can relate to an individual.
Public Information. Publicly accessible information will usually not be considered personal information.
However, some information that is public may still be personal information. Factors you may want to consider is the nature of data, how easily accessible the data is, and whether it can relate or identify the individual.
The CCPA (CPRA) offers a way to differentiate personal from public. It states personal information does not include "publicly available" information, or "information that is lawfully made available from federal, state, or local government records."
In today's day and age, websites and apps collect the personal data of its users all the time. Keeping up with the ever changing privacy laws across the world can be a difficult task, but an essential one.
Remember the key items below, and you may be able to help your company avoid potential litigation:
- Check all laws that may apply to your company and your customers.
- Personal data definitions will vary, but are similar.
- Personal data is data that "relates to" and can identify a person directly or indirectly.
- Examples of the data are not exclusive, and the definitions are broadly construed for a reason.