13 February 2020
People's lives have never been so comprehensively observed and recorded. And the legal regulation around how businesses use personal information is getting tougher all the time.
Your business probably collects, stores, and shares personal information every day. This means you're subject to legal obligations that you might not even be aware of.
It's essential to understand what personal information your company uses and holds. Thus, the starting point for complying with many important laws and avoiding some very severe penalties is to understand what laws mean when they refer to "personal information."
It's not possible to provide an exhaustive list of all the different types of personal information. But it is helpful to consider some examples.
Different laws define personal information in different ways. We're going to look at lots of different types of information, but note that not every privacy law will consider every example to be "personal information." We'll look at some individual privacy laws later in the article.
We'll call the first type of personal information "contact details." These are the types of information you might use to get in touch with a person, such as:
A person's full name is probably the most obvious example of personal information. But in fact. even a person's first name alone can represent personal information.
It's all about context. For example, the first name "Robert":
A phone number:
An email address:
Although ID numbers appear to be a string of random digits, they can also qualify as personal information.
Not every ID number is personal information. For example, in the US:
The more an online advertiser knows about people, the better its product targeting will be. This rampant collection of personal information is why privacy law is so important right now.
When a user visits a website within an online advertiser's network, the advertiser will install tracking software on the users' device (e.g. a "cookie"). This tracking software records which websites the user visits, what they're searching for, and sometimes where they're located.
It's not hard to see why regulators and legislators have taken an interest in this sort of business activity. A person's internet activity can reveal a lot about them.
Types of online and technical information that might count as personal information include:
It's important to remember that not all of these types of information are considered personal information in every context, or under all privacy laws.
A typical business can process online and technical identifiers in several ways:
Some personal information is objective. A customer might provide your company with their name, address, or IP address. You might ask them for it, you might receive it from someone else, or you might acquire it through the ways they have interacted with your services.
It's also possible to generate subjective personal information about someone. For example:
This is a contentious area, but it's important to consider whether you hold this kind of information. If you can link any information to a living individual, it could be personal information.
Under certain privacy laws, you'll need to provide access to all the personal information you hold about a person at their request. This might make you think twice before sending an email about someone or making a note on their file.
It's good practice to disguise personal information in your possession, in case it's lost or stolen. It's important to distinguish between three types of disguised data:
Under many privacy laws, encrypted and pseudonymized data is still considered personal information.
Therefore, even if you're taking great care to disguise personal information, you must still store it securely. You must also securely store any key or additional information that could be used to link the data to an individual.
Anonymized data is not personal information. But remember - true anonymization cannot be reversed.
To qualify as anonymized data:
Some personal information is more sensitive than other types. Many privacy laws recognize a category of personal information that must be treated especially carefully.
Different laws have different concepts of what constitutes sensitive information. Typical examples include information about:
Some laws require that you only process sensitive information with consent. Some laws require that you take specific action in the event of a data breach involving sensitive information.
It's crucial that you know whether any of the personal information you hold should be treated as "sensitive."
Some more obscure types of data can represent personal information in some circumstances. For example:
Any of these data sets could be personal information if they can be linked to a living individual.
No matter where your company operates, you'll be under some legal obligation to treat personal information with respect. But the extent of this obligation varies.
Stricter privacy laws have stronger rules about how companies store and provide access to personal information. They have bigger fines in place to deter violations. And they also define "personal information" in different ways.
The EU's strict data protection rules have been causing many businesses a headache for decades. This is particularly true since the General Data Protection Regulation (GDPR) passed.
Personal information is called "personal data" under EU law. The GDPR's definition of personal data is at Article 4(1). Personal data is:
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier [...]"
All the examples of personal information we examined above are personal data under the GDPR.
Here, the operating data generated by an appliance such as motor power, opening of internal valves, water and energy consumption and other bits of information are disclosed as being "personal data" collected.
If a piece of information can tell you something about a person, even if you'd need extra information to work out who that person is, you should treat it as personal data under the GDPR.
CalOPPA calls personal information "personally identifiable information." Helpfully, CalOPPA lists the types of information it considers personally identifiable information:
This doesn't leave much room for interpretation.
CalOPPA requires website operators to disclose the types of personally identifiable information they collect, along with some other information about how they use such information.
The California Consumer Privacy Act (CCPA) brings US privacy law much closer to that of the EU. However, it mostly applies to large companies.
The CCPA's definition of personal information is heavily inspired by the GDPR's, but is arguably even broader:
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
At the time of writing, the CCPA is still a new law. It hasn't been tested in the courts yet, and so we don't know how broadly the California Attorney General will be interpreting this definition.
However, the legislators obviously intended to create a definition that covered as much information as possible. If you're covered by the CCPA, you shouldn't take any risks - treat all the types of information we explored above as personal information.
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) covers all private sector organizations operating in Canada.
Section 2 (1) of PIPEDA defines personal information as "information about an identifiable individual."
PIPEDA doesn't provide any examples. However, Canada's privacy watchdog, the Office of the Privacy Commissioner clearly considers a wide variety of types of information to be personal information, including IP addresses and cookie data.
According to the Privacy Act:
"'personal information' means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not."
The Office of the Australian Information Commissioner (OAIC) offers some guidance on how to interpret this definition. This guidance refers to "a broad range of information", and includes specific examples such as a person's browsing history.
Note the word "reasonably" narrows the definition of personal information. The OAIC notes that:
"Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as 'personal information'."
This implies a narrower definition of personal information than in some other places, such as the EU.
New, stricter privacy laws are being passed all over the world. The trend is towards more regulation, and a more expansive definition of personal information.
Here are some examples:
Our article on Cookie Consent Outside of the EU is a great resource if you want to know more about international privacy law.
Almost all businesses process a substantial amount of information as part of their everyday business practices. It's crucial to understand which data sets are "personal information" under relevant privacy laws and ensure that you're complying with the law when it comes to how you collect, share, store this information.
Many privacy laws define personal information as information about a living individual, But some laws interpret this more broadly than others.
Take a cautious approach to legal compliance, and always respect your customers' privacy.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.