People's lives have never been so comprehensively observed and recorded. And the legal regulation around how businesses use personal information is getting tougher all the time.
Your business probably collects, stores, and shares personal information every day. This means you're subject to legal obligations that you might not even be aware of.
It's essential to understand what personal information your company uses and holds. Thus, the starting point for complying with many important laws and avoiding some very severe penalties is to understand what laws mean when they refer to "personal information."
It's not possible to provide an exhaustive list of all the different types of personal information. But it is helpful to consider some examples.
Different laws define personal information in different ways. We're going to look at lots of different types of information, but note that not every privacy law will consider every example to be "personal information." We'll look at some individual privacy laws later in the article.
We'll call the first type of personal information "contact details." These are the types of information you might use to get in touch with a person, such as:
- Name
- First name
- Last name
- Other names
- Initials
- Mailing address
- ZIP/Postal code
- Email address
- Social media handle
- Phone number
A person's full name is probably the most obvious example of personal information. But in fact. even a person's first name alone can represent personal information.
It's all about context. For example, the first name "Robert":
- Is not personal information if it's written on a scrap of paper and left on a random train
- Is personal information if it's stapled to a set of medical records, and left in the breakroom of the small office where Robert works
A phone number:
- Is not personal information if it appears in a list of numbers without context or attribution
- Is personal information if it appears alongside a person's name
An email address:
ID Numbers
Although ID numbers appear to be a string of random digits, they can also qualify as personal information.
Examples include:
- Social security number (US)
- National insurance number (UK)
- Passport number
- Driver's license number
- Taxpayer identity number
- Insurance policy number
Not every ID number is personal information. For example, in the US:
- Every business is required to have an Employer Identification Number (EIN) for tax reporting purposes. Because an EIN is associated with a legal entity and not an individual, it's not personal information.
- Some people have an Individual Taxpayer Identification Number (ITIN). Because an ITIN is associated with an individual, it can be personal information.
Online/Technical Identifiers
The more an online advertiser knows about people, the better its product targeting will be. This rampant collection of personal information is why privacy law is so important right now.
When a user visits a website within an online advertiser's network, the advertiser will install tracking software on the users' device (e.g. a "cookie"). This tracking software records which websites the user visits, what they're searching for, and sometimes where they're located.
It's not hard to see why regulators and legislators have taken an interest in this sort of business activity. A person's internet activity can reveal a lot about them.
Types of online and technical information that might count as personal information include:
- Cookie ID
- IP address (dynamic or static, depending on the context)
- Location data
- Radio frequency identification (RFID) tag
- MAC address
- Pixel tag
- Device fingerprint
- Username
- Browsing history
- App and website usage data
- Android or Apple ID
- User-generated content
It's important to remember that not all of these types of information are considered personal information in every context, or under all privacy laws.
A typical business can process online and technical identifiers in several ways:
- If you run analytics software to learn about how people use your website, you could be collecting IP addresses and timestamps
- If you publish a mobile app that uses Google Ads (for example), you could be collecting Android Advertising IDs and data about how people use your app
- If you allow or require users to create an account, you could be collecting all sorts of online identifiers and other personal information
Subjective Data
Some personal information is objective. A customer might provide your company with their name, address, or IP address. You might ask them for it, you might receive it from someone else, or you might acquire it through the ways they have interacted with your services.
It's also possible to generate subjective personal information about someone. For example:
- An employee record or complaint file
- A set of notes from a meeting
- Emails between you and a customer or employee about another person
This is a contentious area, but it's important to consider whether you hold this kind of information. If you can link any information to a living individual, it could be personal information.
Under certain privacy laws, you'll need to provide access to all the personal information you hold about a person at their request. This might make you think twice before sending an email about someone or making a note on their file.
Encrypted/Pseudonymized Data
It's good practice to disguise personal information in your possession, in case it's lost or stolen. It's important to distinguish between three types of disguised data:
- Encrypted data - a data set that has been scrambled beyond recognition using cryptographic techniques. This process can be reversed using a key.
- Pseudonymized data - a data set that has had "personal" elements changed so that they no longer directly relate to an individual. This process can be reversed by using additional information, held separately.
- Anonymized data - a data set that has had all personal elements permanently changed or removed. This process cannot be reversed.
Under many privacy laws, encrypted and pseudonymized data is still considered personal information.
Therefore, even if you're taking great care to disguise personal information, you must still store it securely. You must also securely store any key or additional information that could be used to link the data to an individual.
Anonymized data is not personal information. But remember - true anonymization cannot be reversed.
To qualify as anonymized data:
- The data must be completely stripped of all personal information
- There must be no key or additional information that could be used to link the information to an individual
Sensitive/Special Category Data
Some personal information is more sensitive than other types. Many privacy laws recognize a category of personal information that must be treated especially carefully.
Different laws have different concepts of what constitutes sensitive information. Typical examples include information about:
- Health
- Race
- Political or religious views
- Sex life or orientation
- Biometrics
- Genetics
- Trade union affiliation
Some laws require that you only process sensitive information with consent. Some laws require that you take specific action in the event of a data breach involving sensitive information.
It's crucial that you know whether any of the personal information you hold should be treated as "sensitive."
Some more obscure types of data can represent personal information in some circumstances. For example:
- Information collected from internet of things-connected devices: For example, information about a person's laundry habits, electricity use, or TV preferences.
- Voice commands collected by a voice assistant or voice-controlled app
- Information about the model of a person's car, their mileage, dates of improvements, and repairs (such as might be collected by a mechanic)
Any of these data sets could be personal information if they can be linked to a living individual.
No matter where your company operates, you'll be under some legal obligation to treat personal information with respect. But the extent of this obligation varies.
Stricter privacy laws have stronger rules about how companies store and provide access to personal information. They have bigger fines in place to deter violations. And they also define "personal information" in different ways.
European Union: the GDPR
The EU's strict data protection rules have been causing many businesses a headache for decades. This is particularly true since the General Data Protection Regulation (GDPR) passed.
Personal information is called "personal data" under EU law. The GDPR's definition of personal data is at Article 4(1). Personal data is:
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier [...]"
The Article 29 Working Party, an EU data protection advisory body (now replaced by the EU Data Protection Board) breaks down the definition of personal data into four parts:
- Any information - "Any" information can theoretically be personal data. Personal data can be true or false, sensitive or banal, and take any format.
- Relating to - The information must be about someone. The value of a house is not personal data until it can be linked to an individual (e.g. when it is associated with a specific address or property). At this point, it is personal data because it reveals something about that individual.
- [An] identified or identifiable - This concerns the person to whom the information relates. They can be singled out from a group (identified), or they could theoretically be singled out from a group (identifiable).
- Natural person - A living individual, not a "legal person." Calvin Klein (the fashion designer) is a natural person. He has personal data. Calvin Klein (the corporation) is a legal person. The corporation has some rights. For example, a corporation can sue in court. But a corporation doesn't have personal data. So, email addresses such as [email protected] or [email protected] are personal data, whereas [email protected] or [email protected] are not.
All the examples of personal information we examined above are personal data under the GDPR.
Here's a great example of how broadly the GDPR defines personal data, taken from the Privacy Policy of Electrolux. Note section G, in particular:
Here, the operating data generated by an appliance such as motor power, opening of internal valves, water and energy consumption and other bits of information are disclosed as being "personal data" collected.
If a piece of information can tell you something about a person, even if you'd need extra information to work out who that person is, you should treat it as personal data under the GDPR.
California: CalOPPA
The California Online Privacy Protection Act (CalOPPA) was the first law requiring commercial websites to display a Privacy Policy. Anyone with a commercial website accessible to consumers in California must obey CalOPPA.
CalOPPA calls personal information "personally identifiable information." Helpfully, CalOPPA lists the types of information it considers personally identifiable information:
- First and last name
- Address, including a street name and the name of a city or town
- Email address
- Phone number
- Social security number
- Any other identifying contact details
- Cookies, or any other information a website collects about its users, but only when it's maintained in a "personally identifiable form" alongside one of the other items above
This doesn't leave much room for interpretation.
CalOPPA requires website operators to disclose the types of personally identifiable information they collect, along with some other information about how they use such information.
Here's an example of a relevant part of Quartz's Privacy Policy:
Including a clause like this in a Privacy Policy that you appropriately display is a huge part of satisfying CalOPPA requirements.
California: CCPA
The California Consumer Privacy Act (CCPA) brings US privacy law much closer to that of the EU. However, it mostly applies to large companies.
The CCPA's definition of personal information is heavily inspired by the GDPR's, but is arguably even broader:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
At the time of writing, the CCPA is still a new law. It hasn't been tested in the courts yet, and so we don't know how broadly the California Attorney General will be interpreting this definition.
However, the legislators obviously intended to create a definition that covered as much information as possible. If you're covered by the CCPA, you shouldn't take any risks - treat all the types of information we explored above as personal information.
Canada: PIPEDA
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) covers all private sector organizations operating in Canada.
Section 2 (1) of PIPEDA defines personal information as "information about an identifiable individual."
PIPEDA doesn't provide any examples. However, Canada's privacy watchdog, the Office of the Privacy Commissioner clearly considers a wide variety of types of information to be personal information, including IP addresses and cookie data.
Australia: Privacy Act
Australia's Privacy Act, and the all-important Australian Privacy Principles, govern the processing of personal information in Australia.
According to the Privacy Act:
"'personal information' means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not."
The Office of the Australian Information Commissioner (OAIC) offers some guidance on how to interpret this definition. This guidance refers to "a broad range of information", and includes specific examples such as a person's browsing history.
Note the word "reasonably" narrows the definition of personal information. The OAIC notes that:
"Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as 'personal information'."
This implies a narrower definition of personal information than in some other places, such as the EU.
Other Places
New, stricter privacy laws are being passed all over the world. The trend is towards more regulation, and a more expansive definition of personal information.
Here are some examples:
- Japan - The Act on the Protection of Personal Information (APPI) (English version) gives a complicated definition of personal information that appears to encompass any information directly or indirectly relating to an individual.
- Mexico - The Federal Law on the Protection of Personal Data Held by Private Parties (English version) defines personal data (personal information) as "any information concerning an identified or identifiable individual."
- Nigeria - The Nigerian Data Protection Regulation 2019 (English version) defines personal data in virtually the same way as the GDPR. The law provides examples such as an IP address and an IMEI number, implying that the law will be applied strictly.
Our article on Cookie Consent Outside of the EU is a great resource if you want to know more about international privacy law.
Summary
Almost all businesses process a substantial amount of information as part of their everyday business practices. It's crucial to understand which data sets are "personal information" under relevant privacy laws and ensure that you're complying with the law when it comes to how you collect, share, store this information.
Many privacy laws define personal information as information about a living individual, But some laws interpret this more broadly than others.
Take a cautious approach to legal compliance, and always respect your customers' privacy.
