Personal Data Definitions: Comparing GDPR vs CCPA vs CDPA vs CPA
• read
Introduction
‘Personal Data’ has different legal definitions in the GDPR, CCPA in California, CDPA in Virginia, LGPD in Brazil and other regulations.
Although personal data is sometimes used interchangeably with PII or personally identifiable information, “personal data” in the GDPR refers to a more specific and strict definition with specific examples and therefore is different (broader) than the PII.
Unfortunately for organizations, there is currently no global standard legal definition of personal data. While all regulations will follow a common approach, some frameworks are very specific and provide actual examples of personal data, while others are more vague and subject to interpretation.
If your organization operates in multiple jurisdictions, you will first need to understand the definitions under each regulation and which regulation(s) apply to the data you collect, use and store.
This will allow you to answer questions such as:
- Which systems and processes store or use data covered under the different regulations?
- What is my company’s obligation regarding the data?
- How can I make sure that my company complies today and into the future?
Below, we will review the current definitions of personal data under key global data privacy and protection regulations.
Personal Data Under CCPA
The CCPA established eleven categories of personal information and provided examples to illustrate most of these categories:
- Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Customer records information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information
- Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, age
- Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data
- Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information: Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences
The CCPA does not consider publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records as personal information.
In addition, CCPA does not consider personal data the data that has been pseudonymized and de-identified or aggregated and de-identified and because it cannot be reasonably linked to an individual.
One of the key differences between the CCPA and GDPR is that GDPR is exclusive to the individual while the CCPA also includes information not only specific to an individual but also to a household.
To read more about the official definition of personal data under the CCPA, click here to access the official text (Section 1798.140.(o))
Personal Data under CPRA
The CPRA follows the definitions of “personal data” adopted in CCPA. However, the CPRA introduces specific categories of “sensitive data” defined as “personal information that reveals:
- A consumer’s social security, driver’s license, state identification card, or passport number,
- A consumer’s account log-In, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account,
- A consumer’s precise geolocation,
- A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership,
- The contents of a consumer’s email, and text messages; unless the business is the intended recipient of the communication,
- A consumer’s genetic data.
You can learn more about the new sensitive data categories under CPRA by clicking here (on page 23, 1798.140.(ae)).
Personal Data Under Virginia CDPA
Under the CDPA, the definition of “personal data” means “any information that is linked or reasonably linkable to an identified or identifiable natural person. ‘Personal data’ does not include “de-identified data or publicly available information”
Unlike the CCPA, the CDPA does not provide examples of categories of personal information.
Like CCPA, the definition in CDPA excludes any de-identified data and publicly available information. Publicly available information is defined as “information that is from federal, state, or local government records”.
In addition, the CDPA adds to its definition of publicly available “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.”
Similar to the CPRA, the CDPA introduces the definition of “sensitive data” which includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status,
- The processing of genetic or biometric data for the purpose of uniquely identifying a natural person,
- the personal data collected from a known child, or
- Precise geolocation data, which is defined as information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy below 1,750 feet.
You can access the definitions of personal and sensitive data under the CDPA by clicking here (59.1-571- Definitions).
Personal Data Under Colorado CPA
The definition of ‘Personal Data’ under the CPA is closely related to that of Virginia’s CDPA and states that “personal data means:
- (a ) information that is linked or reasonably linkable to an identified or identifiable individual, and
- (b) does not include de-identified data or publicly available information.”
As used in this subsection (17)(b), “publicly available information” means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.”
In addition, the Colorado CPA does not include data “maintained for employment records purposes.”.
Similar to the CDPA and CPRA, the CPA defines sensitive data to “mean
(a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status,
(b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or
(c) personal data from a known child.”
To read more about the definitions of persona and sensitive data, please refer to the official text by clicking here (on page 8, 6-1-1303.(17) and on page 10, 6-1-1303.(24)).
Personal Data Under GDPR
Under the GDPR, “Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In addition, the European Commission clarified the above on its website via the Q&A section by mentioning that:
“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
The website also lists examples of personal data under GDPR. These examples include:
- a name and surname
- a home address
- an email address such as name.surname@company.com
- an identification card number
- location data (for example the location data function on a mobile phone)
- an Internet Protocol (IP) address
- a cookie ID
- the advertising identifier of your phone
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
As importantly, it also lists examples of what is not considered personal data. These examples are:
- a company registration number
- an email address such as info@company.com
- anonymised data
The GDPR also makes a clear distinction between personal data and sensitive data via the “Special Categories”. The Special Category include:
- Race and ethnic origin
- Religious or philosophical beliefs
- Political opinions
- Trade union memberships
- Biometric data used to identify an individual
- Genetic data
- Health data
- Data related to sexual preferences, sex life, and/or sexual orientation
The processing of special category data is prohibited unless:
- “Explicit consent” has been obtained from the data subject, or,
- Processing is necessary in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection, or,
- Processing is necessary to protect the vital interests of data subjects where individuals are physically or legally incapable of giving consent, or,
- Processing is necessary for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health, or,
- For purposes of preventive or occupational medicine, or,
- Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes, or,
- Processing relates to personal data which are manifestly made public by the data subject, or,
- Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
To access more information about the data in scope under GDPR, please refer to the official GDPR website (Article 4 – Definitions and Article 9 – Processing of special categories of personal data)
Conclusion
As you can see, the definitions of personal data vary from one privacy regime to the next. Make sure you have a good understanding of these legal definitions before you work on your data inventory and data mapping initiatives. This is the foundational step of any robust privacy program.
To compare the definitions of “Personal Data” and “Sensitive Data” side-by-side for all these regulations and others such as China’s PIPL, Canada’s PIPEDA, or Brazil’s LGPD, please check our Interactive Privacy Table.