What is Personal Information — or Personal Data?

Within the data privacy sphere, the term ‘personal information’ is often encountered in several different contexts. Primarily, personal information refers to any data relating to a person or individual that can aid in identifying them. This data is often valued as highly sensitive, and if compromised can lead to identity theft and fraud. Therefore, organizations should look to implement robust privacy practices to protect the sensitive information of consumers.

In order to safeguard the personal information of users, organizations are required to comply with a range of global data protection legislations, including the European Union GDPR (General Data Protection Regulation), the CPRA (California Privacy Rights Act), and the CCPA (California Consumer Privacy Act). These privacy laws shape how an organization can collect, store, and share the personal data of consumers, and serve as a legal foundation for the protection of identifiable information.

When dealing with personal information, organizations must document their data collection procedures within a comprehensive privacy policy, as is required by legislation such as the GDPR. A privacy policy should include:

• Definitions of personal information
• What personal information consists of
• How personal information is used by the organization
• Whether or not data is sold or shared with third parties
• What rights the consumer has in terms of managing their personal information.

A privacy policy is an essential component of any privacy program, and should be easily accessible for consumers in order to comply with data privacy law.

Types and examples of Personal Information

Different privacy legislations provide unique definitions of personal information, but there are some key overlaps. Legal definitions commonly refer to personal information as any data that can aid in identifying an individual, and is typically divided into two main brackets: Personally Identifiable Information (PII) and Sensitive Personal Information (SPI).

Personally Identifiable Information (PII) is comprised of data such as name, address, date of birth, social security number, email address, and contact number.

Sensitive Personal Information (SPI) often requires higher data protection measures due to its nature, and includes information regarding racial or ethnic origin, religion, sexual orientation, health data, biometric data, and more.

Establishing a reliable privacy program is of paramount importance when handling personal information. This ensures that if ever subjected to threats such as inappropriate access or data breaches, consumer data is protected from misuse. Additionally, in strengthening data privacy provisions, organizations can protect themselves from reputational harm or legal fees due to lack of compliance.

Dealing with different types information requires total compliance with various privacy laws, and so organizations must ensure their data collection practices are in line with regulatory requirements. A Consent and Preference Management solution (CPM) can aid in meeting compliance requirements, and should be considered by organizations who are apprehensive over legislation.

What is Personal Information under the CCPA?

The California Consumer Privacy Act (CCPA) is a federal privacy law that outlines several consumer rights when it comes to their personal data. As one of the most comprehensive global data privacy laws, the CCPA provides a strict definition of what rights the consumer has in relation to their data, including:

1. The right to know about what data is collected
2. The right to delete personal information upon request
3. The right to opt out of the sale or share of information to third parties
4. The right to non-discrimination for exercising CCPA rights
5. The right to correct inaccurate information stored against an individual
6. The right to limit the use and disclosure of sensitive information

Personal information is often pinned with different definitions depending on the legislation. In regards to the California Consumer Privacy Act (CCPA), personal information is defined as:

“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Within the legislation, the CCPA defines both the characteristics of personal information, and, conversely, what is not considered as personal information. To ensure CCPA compliance, and assign the appropriate privacy measures to specific data types, organizations should ensure their data is clearly classified into personal information and non-personal information.

What is not considered Personal Information?

As we know, there are several categories of information that can be collected from a consumer. The CCPA also provides a clear distinction between what is and isn’t considered personal information. Within the legislation, there are some key differences between the two, with the following not considered to be ‘personal information’ in the CCPA definition:

• Publicly available information that is either obtained on a legal basis, or from widely distributed media
• Consumer information that has been deidentified or anonymized
• Aggregate consumer information that contains no personal information that can be attributed to an individual

Why this distinction matters

As declared within the California Consumer Privacy Act (CCPA), individuals retain the right to request the deletion of their personal information, as well as preventing it from being sold or shared on to third-parties. If such a request is made by a consumer, the organization must be able to provide details of what categories of personal information they have collected on an individual, and what purpose these categories serve in their data privacy practices. In adherence with the CCPA’s provisions, organizations must clearly categorize consumer data into what is or isn’t considered personal information, and this should be clearly communicated to consumers at the point of data collection.

Characteristics of Personal Data under the CCPA

As defined within the CCPA, there are numerous characteristics of personal data. These include:

1. Personal identifiers such as name, alias, address, social security number, contact details, online identifier, Internet Protocol (IP) address, email address, driver’s license number, passport number, identification number, or other similar identifiers.
2. Customer records or commercial information, including name, signature, insurance policy number, bank account number, health insurance information, records of personal property, products or services purchased, or other financial information.
3. Characteristics of protected classifications under California or federal law.
4. Biometric information, such as hair color, eye color, fingerprints, height, weight, and other similar information.
5. Internet or network activity information, including browsing history, search history, or details of any interactions with online services or applications.
6. Geolocation data.
7. Audio, electronic, visual, thermal, olfactory, or similar information.
8. Professional or employment-related information, including employment history, local government records, and educational history.
9. Inferences drawn from any above mentioned information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
10. Sensitive personal information.

Who must comply with the CCPA?

The CCPA requires compliance from any for-profit businesses that meet the following criteria:

• The business has an annual revenue exceeding $25 million.
• The business buys, sells, or receives personal information and data from 50,000 or more California residents, households, or devices.
• The business earns more than half its annual revenue from the selling of personal information.

Businesses and organizations who meet these criteria must ensure total compliance with the collection of information under the CCPA in order to avoid financial penalties and damages to reputation.

How will CCPA benefit consumers and businesses?

The CCPA benefits consumers by granting them greater control over their personal data, including the right to know what information is collected, request deletion, and opt-out of data sales. For businesses, compliance with the CCPA can enhance consumer trust and loyalty, improve data management practices, and potentially reduce the risk of data breaches and associated penalties. This dual advantage fosters a more transparent and secure data environment, benefiting both parties.

How can companies comply with the CCPA?

Any organization that is required to be compliant with CCPA must take steps to ensure they adhere to the CCPA’s requirements. Familiarization with the core concepts of CCPA, including consumer rights and business obligations, is the first step in ensuring total compliance. Once this foundational knowledge is secured, organizations should review their privacy practices to ensure the requirements of CCPA are met, as well as updating privacy policies to reflect this.

Businesses who are apprehensive over CCPA compliance can consult a Consent and Preference Management solution (CPM) to ensure regulatory requirements are met. A CPM is a highly effective tool when it comes to maintaining compliance, and avoiding reputational damages and legal troubles.