What is Personal Data?

Written by Chris Slack (FreePrivacyPolicy Legal writer) and last updated on 01 March 2023.

What is Personal Data?

Websites and mobile apps commonly collect and use something called personal data. What personal data is and how it is defined is dictated by laws. Laws and regulations also dictate how that data may be used and collected.

If your website is going to collect and use personal data (sometimes called personal information), you need to know what is considered personal data, what isn't personal data, and examples of when and how you may collect it.

That's what this article will explore.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Unfortunately, there isn't one universal definition of what personal data is. Laws in the U.S. and around the world have described personal data in different ways. Thankfully, while the laws may be different in some ways, the descriptions are generally the same to define personal data as any data that can be used to identify an individual, such as a name, phone number, ID number, screen name, IP address and a variety of other data points.

Let's look at a few laws and their specific definitions.

One of these privacy laws is the GDPR. The GDPR is the EU's primary privacy law that protects the data collection of its citizens. It has one of the strictest privacy rules out there. It's also a good place to start to determine what personal data is. Since the law's enactment in 2018, many countries have reworked their privacy laws to mimic the GDPR.

The GDPR defines personal data as "any information that relates to an identified or identifiable living individual."

Something important under the GDPR and other privacy laws is whether the information collected "relates to" an individual. If the information can be related to or can identify a person, it will almost always be considered personal data.

As the GDPR applies to the data of GDPR citizens, U.S. state laws apply to the collection of each of its own citizens.

For example, California's CalOPPA applies to the collection of California citizens, no matter where the company that collects it is located.

One of the key privacy laws in the U.S. is the CCPA/CPRA, or the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA). Section 1798.140(o)(1) of the CCPA governs how "personal information" is defined, as:

"Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household."

While it mirrors most privacy laws in this regard, its definition is expanded to include information that not only relates or identifies an individual, but is also "reasonably capable of being associated with" a person and even a household. In this regard, the CCPA (CPRA) broadens what can be personal data compared to the earlier laws, such as CalOPPA.

CalOPPA defines "personally identifiable information" very specifically with examples. Instead of a broad definition, CalOPPA offers only seven examples of what this could be:

  • First and last name
  • Mailing address
  • Email address
  • Phone number
  • Social Security Number
  • Identifiers that permit online contacting
  • Cookies

New York's SHIELD Act offers an additional definition of personal data to consider in the US. It defines "personal information" as:

"Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person"

With regard to the definition of personal data, remember:

  • Not all personal data is the same for every controller or company. It may be considered personal data for one company, but not for another.
  • Not every law will apply to every country or company. For example, the CCPA (CPRA) and its rules only apply to companies that make over $25 million a year and collect the personal data of California citizens.
  • Personal data may slightly vary not only between countries but also between states. Pay attention to the specific definitions of all the laws you need to comply with because you may be overlooking certain personal data that one law doesn't protect, while another law will protect it.
  • While it's important to double check the definitions, the general thing to remember is that personal data is information that relates to or identifies an individual.

What is Considered to be Personal Data?

What is Considered to be Personal Data?

Similarly with the definitions, what is considered personal data may vary from law to law.

For example, identifiers under the CCPA (CPRA) can include:

  • Real name
  • Alias
  • Postal address
  • Unique personal identifier
  • Online identifier
  • IP address
  • Email address
  • Some information that isn't public
  • Professional or employment-related data
  • Access logs
  • Error logs
  • Cookies
  • Geolocation data
  • Browser history

All of these identifiers can relate directly or indirectly to a person. Most laws make sure to include this in their definition of personal data. Today, definitions are broadly construed to encompass as much data as possible.

Examples of Commonly Collected Personal Data: What and How

Examples of Commonly Collected Personal Data: What and How

Below is a list of collection points for personal data and what type of data is typically collected at each point.

Via Sign-up Forms

A common collection point for personal data by a website or app is in sign-up forms. A sign-up form will typically ask for an individual's:

  • Email address
  • Name
  • Username
  • Postal address (sometimes)
  • Security questions that relate to the individual

Here's an example of a basic sign-up form that collects an email address:

Generic Create Account form with email field highlighted

Some websites will ask for additional personal information at the time of sign up. This additional information can be used for security reasons, help tailor usage of the website, or confirming the age of the user.

Cookies/Identifiers

Cookies or identifiers are used by websites to help streamline a customer's experience and track site analytics.

These cookies are automatically placed, but you can disclose this in a Privacy Policy clause or a Cookies Policy.

The Adidas Privacy Policy is a good example of why cookies are used and how it relates to personal data:

Adidas Privacy Policy: How do we use cookies, advertising and online tracking clause excerpt

Most if not all privacy data laws will have a section dictating how cookies and identifiers are used.

Automatically Collected Data

Many websites automatically collect a variety of data for a number of purposes.

NerdWallet states exactly what type of information that is collected automatically when the site is accessed or an email is opened:

NerdWallet Privacy Policy: Information Automatically Collected clause excerpt

Some websites also collect personal data and store that information in logs, such as access logs, error logs, and security audit logs.

These logs will collect and store data to document and keep track of how many times a customer accesses the website or has encountered errors. This information can be used to help better processes and updates.

Google collects personal data that relates to crash reports and system activity that can be used in logs:

Google Privacy Policy: Information we collect clause - Crash reports and system activity section highlighted

Sensitive Data

Sensitive data is identifiable information that is more sensitive in nature than just a name or email. It includes but isn't limited to the following:

  • Race or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union memberships
  • Genetic or biometric data
  • Health information
  • Sex life or sexual orientation

Google defines this type of personal data in its Privacy Policy:

Google Privacy Policy: Sensitive personal information definition

What isn't Considered to be Personal Data?

There is information that websites collect about their consumers that is not considered personal data, even though it may be similar to some of the examples above.

Data that won't be considered personal data by many laws can be:

  • Company information. Generally, company-specific information won't be considered personal data.

    This may be a company registration number or a company's general email address (i.e., [email protected]).

    On the other hand, if it was [email protected], then that email would be personal data.

  • Anonymized Data.

    The GDPR says this about personal data:

    "Data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible."

    The key to data that has become anonymous is that it is irreversible. If the data can still be used to identify someone at a later date, it then is again considered personal data.

    This is different from what is called pseudonymised data. Pseudonymised data is data that has been "de-identified and encrypted" but is still able to be used to identify a person. Even though this information has been encrypted, there are ways that it can relate to an individual.

  • Public Information. Publicly accessible information will usually not be considered personal information.

    However, some information that is public may still be personal information. Factors you may want to consider is the nature of data, how easily accessible the data is, and whether it can relate or identify the individual.

    The CCPA (CPRA) offers a way to differentiate personal from public. It states personal information does not include "publicly available" information, or "information that is lawfully made available from federal, state, or local government records."

Summary

In today's day and age, websites and apps collect the personal data of its users all the time. Keeping up with the ever changing privacy laws across the world can be a difficult task, but an essential one.

Remember the key items below, and you may be able to help your company avoid potential litigation:

  1. Check all laws that may apply to your company and your customers.
  2. Personal data definitions will vary, but are similar.
  3. Personal data is data that "relates to" and can identify a person directly or indirectly.
  4. Examples of the data are not exclusive, and the definitions are broadly construed for a reason.