Personal information is required for almost everything we do online. Or, at least, we leave a trail of it pretty much everywhere, whether we know it or not. Whether we’re filling out a form, shopping, sharing a photo on social media, or even just browsing a website, data about who we are, what interests us, and what we’re doing is being collected. But is all of this information “personal”? What exactly counts as personal information and why is it so important?
Businesses need to understand personal information to maintain their marketing efforts and deliver personalized experiences customers want, while remaining compliant with global privacy laws.
So let’s talk about how personal information is defined, how various privacy laws protect it, and how companies can handle it responsibly.
What is personal information or personal data?
Personal information refers to any data that can be used to identify an individual. This broad term covers everything from basic information about a person, including identifiers like names and addresses, to more sensitive information like financial and health data, and even increasingly advanced categories like biometric information.
Sometimes the only real distinction is the wording used in regulatory texts. Some use “personal information” and some use “personal data”. The definitions and examples could be pretty much the same.
However, companies need to be aware that each data privacy law does have its own specific definition of personal information. So it’s important to understand if that law is relevant to your business operations and requires your compliance.
While you may access or store personal information from various platforms, such as social media, apps, servers, and more, you need to make sure that you collect, store, and use personal data properly according to applicable laws, frameworks, and policies.
What is personally identifiable information (PII)?
While personal information and Personally Identifiable Information (PII) are often used interchangeably, there are differences. PII is a specific subset of personal information which is mostly used in the United States. It also refers to any data that could directly or indirectly identify a person. This includes information such as a person’s:
- full name
- Social Security number (SSN)
- driver’s license number
- phone number
- email address
While PII in the US might exclude data like that collected by cookies, or IP addresses, the General Data Protection Regulation (GDPR) does consider them personal data if they can be used to identify an individual (typically in combination with other data points).
What is protected personal information?
Protected personal information, also known as sensitive personal information or data, refers to information that requires special safeguards due to its private nature and the greater potential for harm if it is exposed or misused.
This may include special categories of data defined by regulations like the GDPR, such as racial or ethnic origin, political opinions, health information, and biometric data. Typically, under data privacy laws, there are greater restrictions on when this information can be collected and used, what purposes it can be used for, requirements for consent from the people it’s collected from, and stronger requirements for securing and destroying it.
Types of personal information
Personal information comes in many forms, and not all data is treated equally, including from regulation to regulation. It’s important to be aware of all types of personal information that your business may process to handle it responsibly. We’ll cover the different categories below.
Basic identifiers
Basic identifiers are often the first personal details that businesses collect. They include:
- full name
- home address
- date of birth
These are the building blocks of identity, used in everything from signing up for accounts to making ecommerce purchases to verifying your identity when you apply for credit. While these details might seem straightforward, they’re the first information cybercriminals collect for identity theft and fraud because they are so commonly needed and used.
Financial information
Financial information includes personal data such as:
- bank account details
- credit card numbers
- credit scores
This kind of information is pretty much always categorized as sensitive where that designation exists. Breaches involving this type of information tend to be among the most damaging. Fraudulent charges, stolen identities, and credit rating damage are just a few of the risks that come with exposed financial information. For businesses, securing this data is critical not just for privacy compliance, but also to maintain customer trust, and includes physical, technical, and human measures.
Biometric data
Biometric data refers to unique physical characteristics used for identification, such as:
- fingerprints
- facial recognition data
- retinal scans
Biometric security systems are increasingly used for everyday tasks, from unlocking phones to boarding planes. However, these technologies come with risks. Unlike a password, you can’t change your fingerprint if it’s compromised. Also, individuals have little knowledge of what the data could be used for depending on who collects it, e.g. for an app created by a foreign company.
Health information
Health-related personal information is among the most sensitive types of data. It includes:
- medical records
- prescription histories
- genetic information
Laws like the Health Insurance Portability and Accountability Act (HIPAA) in the US and the GDPR in Europe place strict limits on how this data is handled. Mishandling health data can result in financial penalties and harm to patients if their privacy is breached.
Digital identifiers
In the online world, personal information also includes digital identifiers, such as:
- IP addresses
- device IDs
- browser cookies IDs
These details may not seem personal at first glance, but they can be used to identify individuals when combined with other data, and can enable a significant amount of tracking. Advertisers and tech companies heavily rely on this type of data for targeted marketing, which can raise significant privacy concerns. Especially as some of these tools enable tracking of users not just while on a company’s website, for example, but across the internet as they browse.
Personal information by data privacy laws
Protecting personal data is a priority for governments worldwide, but different regions take their own approach. From Europe’s stringent GDPR to the patchwork of state laws in the United States, these rules define how personal information is handled and what rights individuals have. Let’s break down how major regions address data privacy.
General Data Protection Regulation’s definition of personal information
The General Data Protection Regulation is generally seen as the global gold standard for data protection. It defines personal data broadly, covering anything that identifies or could identify someone. This definition includes names and addresses, and less obvious data like IP addresses, cookies, or even opinions.
The GDPR gives individuals control over their data, including the right to:
- correct inaccurate or incomplete data
- access their personal data held by organizations
- delete their data in certain circumstances (“right to be forgotten”)
- object to certain specific uses of their data
- transfer their data between services (data portability)
It also introduces special protections for sensitive data, such as racial origin, political views, religious beliefs, and biometric information.
Switzerland’s FADP definition of personal information
Switzerland’s revised Federal Act on Data Protection (FADP), effective from 1 September 2023, aligns closely with the GDPR while introducing some unique features.
Like the GPDR, it defines personal data broadly, including sensitive categories like genetic and biometric information. The FADP grants individuals rights to access, correct, and object to data use, and introduces principles like privacy by design and privacy by default. Additionally, it mandates that organizations promptly notify the Federal Data Protection and Information Commissioner in the event of a data breach.
UK GDPR’s definition of personal information
The UK has retained many of the GDPR’s principles, while tailoring them to suit its national needs. It applies to automated and organized manual data processing and emphasizes seven principles for handling data.
- Lawfulness, fairness, and transparency: Be clear and lawful about how data is used.
- Purpose limitation: Use data only for specified purposes.
- Data minimization: Only collect what’s necessary for the stated purposes.
- Accuracy: Keep data accurate and up to date.
- Storage limitation: Only keep data as long as it is needed.
- Integrity and confidentiality: Secure data appropriately.
- Accountability: Prove compliance with these principles.
The CPRA and various US state laws’ definition of personal information
The US doesn’t have a single federal data privacy law, but instead relies on state and industry-specific regulations. The California Privacy Rights Act (CPRA) is one of the strongest. Building on the earlier California Consumer Privacy Act (CCPA), it gives residents rights such as the right to:
- know what data is collected and how it’s used
- delete their data
- opt out of data sales
- correct inaccuracies
- restrict sensitive data use
In total as of the end of 2024, 21 states have passed data privacy laws.
Canada’s PIPEDA definition of personal information
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) defines personal information as anything factual or subjective that identifies someone. This includes:
- basic identifiers (e.g. name, age, ID numbers)
- opinions or evaluations
- medical or financial records
Organizations must obtain consent to collect, use, or share this data. Individuals have the right to access their information and request corrections.
Australia’s Privacy Act of 1988 and its definition of personal information
Australia’s Privacy Act covers any information or opinion about an identifiable person, such as:
- names, addresses, dates of birth
- medical or financial details
- photos, videos, and even IP addresses
This act is governed by 13 Australian Privacy Principles (APPs), which outline how organizations should collect, use, store, and share personal data securely.
Brazil’s Lei Geral de Proteção de Dados / General Data Protection Law definition of personal information
Brazil’s General Data Protection Law (LGPD) is similar to the GDPR. It defines personal data broadly, and includes identifiers like names and online behaviors. Key features include:
- Consent requirements: Data can’t be processed without permission unless another legal basis applies.
- Individual rights: People can access, correct, delete, or withdraw consent for their data.
- Data protection officers (DPOs): Companies must appoint someone to ensure compliance.
| Country/Region | Regulation | Personal information definition |
| European Union | General Data Protection Regulation (GDPR) | Broad: includes names, addresses, IP addresses, cookies, and opinions. Protects sensitive data, such as racial origin, political views, and biometrics. Requires consent for most data use. |
| Switzerland | Federal Act on Data Protection (FADP) | Aligns with the GDPR. Includes genetic and biometric data, emphasizes privacy principles, and mandates breach notifications. Requires consent for most data use. |
| United Kingdom | UK GDPR | Based on the GDPR. Covers automated and manual data processing. Includes names, addresses, and sensitive information. Requires consent for most data use. |
| United States | California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA) and other state laws | Varies by state. Examples include names, contact details, financial info, and behaviors. The CCPA/CPRA provides such rights as opting out of sales and deleting data. Does not require consent for most data use. |
| Canada | Personal Information Protection and Electronic Documents Act (PIPEDA) | Includes factual and subjective identifiers, such as names, opinions, medical and financial records. Requires consent for most data use. |
| Australia | Privacy Act of 1988 | Includes names, addresses, birth dates, medical and financial details, photos, and IP addresses. Governed by 13 Australian Privacy Principles. Requires consent for most data use. |
| Brazil | General Data Protection Law (LGPD) | Broad: covers identifiers like names, addresses, and online behaviors. Emphasizes consent and individual rights such as access, correction, and deletion. Requires consent for most data use. |
How businesses can protect personal information
Businesses handle vast amounts of personal data daily, from customer names and addresses to sensitive financial and health information. With data breaches and cyberattacks on the rise, protecting this information has become an essential part of doing business.
Here are a few tips to protect your users’ personal information.
1. Follow data minimization best practices
Data minimization is the principle of collecting only the information that is absolutely necessary for a specific, stated purpose. The more data a business collects, the more complex security becomes, the greater the risk of harm if a breach occurs, and the harder it is to maintain compliance with privacy laws. For instance, if you’re running a retail website, consider whether you really need to collect a customer’s date of birth or gender for a basic purchase.
To implement data minimization, businesses should review their data collection practices and eliminate any fields that aren’t essential. This process starts with an audit of all forms, applications, and touchpoints where data is gathered. Ask critical questions like, “Why are we collecting this data?”, “What will we use it for?” and “What’s the risk if we don’t collect it?”
Once the data minimization process is in place, audit it regularly and continue to pare down data collected and maintained to what is required, and securely destroy, anonymize, or return data no longer needed.
2. Employ encryption
Encryption is one of the most effective tools for protecting personal information. It helps to ensure that even if data is intercepted or accessed without authorization, it is unreadable. Modern encryption protocols like AES-256 are nearly impossible to break, providing a strong layer of protection for sensitive information such as credit card numbers, Social Security numbers, and health records.
Data should be encrypted both in transit and at rest. For example, when a customer submits their credit card information on an ecommerce platform, it should be encrypted immediately. Similarly, data stored in databases should also be encrypted to prevent unauthorized access. Encryption keys must be managed securely, as losing or exposing the keys can render the encryption useless.
3. Implement access controls
Not everyone in your organization needs access to personal data. Limiting access reduces the risk of accidental exposure or internal misuse. Role-based access control (RBAC) means that employees only have access to the data necessary for their specific job functions.
Begin by categorizing data into levels of sensitivity. For instance, financial records might be classified as “high sensitivity” and restricted to accounting personnel, while email addresses and general customer inquiries could be accessible to the customer service team. Use identity verification methods, such as multifactor authentication, to prevent unauthorized individuals from accessing systems containing sensitive data.
4. Set up routine employee training
Human error is one of the leading causes of data breaches. Employees who aren’t trained in data privacy best practices may inadvertently expose sensitive information, for example, by falling for phishing scams or mishandling data.
To help mitigate these risks, businesses should implement regular, mandatory training sessions on data security. These sessions should cover topics like recognizing phishing emails, securely handling personal data, and understanding the legal requirements of privacy laws like the GDPR or the CCPA. Keep the training relevant by including real-world examples of breaches and their consequences. Regular refreshers can help employees stay vigilant as threats evolve.
5. Establish strong password policies
Weak passwords are an open door for hackers. Simple or reused passwords can be easily guessed or cracked, giving attackers access to sensitive systems and data. Businesses must enforce strong password policies to prevent such vulnerabilities.
Require employees and users to create passwords using current best practices. Encourage the use of password managers, which can generate and store complex passwords securely and prevent having to remember a lot of passwords or reliance on insecure tactics like writing down passwords on sticky notes. Additionally, implement account lockout mechanisms to protect against brute force attacks, in which hackers attempt to guess passwords through automated repeated attempts that can process millions of “tries” in seconds.
6. Conduct regular security audits
Security is not a one-and-done activity; it requires ongoing assessment and improvement. Regular audits enable businesses to identify vulnerabilities, maintain compliance with privacy regulations, and adapt to emerging threats.
Conducting a security audit involves reviewing current data protection measures, testing for potential weaknesses, and evaluating compliance with legal requirements. This can include penetration testing to simulate attacks and identify weak points. After an audit, prioritize addressing high-risk vulnerabilities and document any improvements made to demonstrate compliance in the event of an investigation.
7. Secure third-party relationships
Many businesses rely on third-party vendors for services like payment processing, cloud storage, or customer management. However, these vendors may have access to sensitive data, making them an extension of your organization’s risk. Under many data privacy laws, the controller is responsible for the compliance of the processor. Third parties like vendors are considered processors, and the businesses relying on them are the controllers.
Before partnering with a vendor, assess their data protection policies and certifications to see if they meet your security standards. Include data protection clauses in contracts, specifying how the vendor will handle and secure personal information. Regularly review vendor practices and request updates to their compliance certifications. Contractual agreements regarding data privacy and protection operations are also required under many data privacy laws.
8. Implement an incident response plan
Despite taking precautions, data breaches can still occur. Having a well-defined incident response plan means that your business can act quickly to mitigate damage, notify affected parties and authorities, and comply with legal reporting requirements. This is also a legal requirement under many data privacy laws.
An effective incident response plan should outline the steps to take in case of a breach and the timeline to undertake them, such as containing the breach, assessing the scope of the damage, and notifying customers and regulators. Assign clear roles to team members so everyone knows their responsibilities in a crisis. Make sure all relevant parties are familiar with and can access the plan, and regularly test it through simulations to identify weaknesses and improve readiness.
9. Follow data anonymization and masking best practices
Sometimes businesses need to use personal data for analysis or testing without exposing sensitive details. Data anonymization and masking techniques enable organizations to remove or obscure identifiable information while retaining the utility of the data.
Examples of data anonymization include replacing customer names with randomized identifiers, or aggregating data to avoid exposing individual identities. Anonymized data can often be used without requiring the same strict legal protections as identifiable personal data, offering a compliance-friendly alternative for certain tasks.
10. Get familiar with and follow local legal standards
Every business that processes personal data must comply with applicable privacy laws and policies. Noncompliance can result in hefty fines and reputational damage. Familiarize yourself with laws relevant to your industry and location, such as the GDPR, the CPRA, or HIPAA.
To maintain compliance, appoint a Data Protection Officer, which is sometimes required by law, and document all data protection measures. Use a data privacy impact assessment for new projects that involve handling personal data to align with legal standards.
11. Monitor for threats
Advanced monitoring tools can detect unauthorized access or suspicious activity in real-time, enabling businesses to respond before significant damage occurs. Use intrusion detection systems and behavioral analytics to monitor network traffic and flag anomalies.
Implementing monitoring solutions provides an added layer of security, especially for businesses handling large volumes of sensitive data. Regularly review logs and reports to flag incidents and resolve them promptly.
12. Implement clear data retention policies
Keeping data longer than necessary increases its risk of exposure. Implement clear retention policies to define how long personal data is stored and when it should be securely deleted.
For example, customer transaction records may need to be kept for seven years for tax purposes, but should be purged immediately afterward. Many other kinds of data are not required by law to be kept so long. Much of the information in a customer’s account can be deleted when the customer cancels their account or subscription, for example. Use automated tools to enforce retention policies and maintain compliance with relevant privacy regulations.
13. Secure your physical storage
Not all data is digital, and digital data can still be very portable. Paper records, external hard drives, and USB devices containing personal information must also be secured. Store physical records in locked cabinets, restrict access to authorized personnel, and shred documents when they are no longer needed. Cloud solutions can prevent the need to physically move data around at all, as long as they are adequately secure.
For devices like laptops or USB drives, ensure they are encrypted and password-protected and can be located, shut down, and/or have the hard drive wiped remotely. Avoid leaving devices unattended or in unsecured locations, and use devices like screen protectors to prevent unwanted snoopers from viewing information in public places.
14. Conduct regular updates and patching
Outdated software is a common entry point for attackers. Regularly update systems, applications, and devices to fix security vulnerabilities and keep up with evolving threats.
Set up automatic updates wherever possible to apply critical patches promptly. If manual updates are required, create a schedule to ensure no system is overlooked.
What happens if personal information is breached?
When personal information is breached, the consequences for businesses can be severe. They may face regulatory penalties, legal actions, and significant reputational damage.
Under privacy laws like the GDPR, businesses can face fines of up to EUR 20 million or 4 percent of global turnover, whichever is higher.
In the US, laws like the CCPRA impose fines of USD 2,500 per unintentional violation or USD 7,500 for each intentional violation. Even if a business wasn’t directly responsible for the breach, it could still be held liable, especially if it failed to implement adequate data protection measures or “cure” contributing issues after a warning.
In addition to fines, businesses may experience operational disruptions. Responding to a breach often involves shutting down systems, conducting forensic investigations, and patching vulnerabilities — all of which takes time and resources. A company may also be required to delete data they hold, which can create issues for maintaining operations, or be required to submit to repeated auditing, which can be very time- and resource-consuming.
In the event of a breach, security and legal teams and others must work quickly to notify affected individuals and regulatory authorities, as required by law. In many jurisdictions, businesses are required to inform affected parties and authorities within specific timeframes, and failure to do so can result in further penalties.
The long-term effects of a breach can be just as damaging. Even if a business resolves the immediate issues, it may struggle to recover its reputation. Customers, partners, or investors may lose trust and choose to take their business elsewhere, which can result in a significant decline in revenue. In some cases, a company may face class-action lawsuits or, in extreme circumstances, bankruptcy.
Ultimately, the penalties for a breach — both financial and reputational — make it essential for companies to prioritize data protection. This means investing in security measures and developing a solid incident response plan to minimize the risk and impact of a potential breach.
Protect your customer’s personal information
It is critical to understand what qualifies as personal information to comply with privacy regulations and protect your customers’ data and trust. By identifying and managing personal data correctly, you can minimize the risk of breaches, avoid regulatory compliance penalties, and strengthen your business’s reputation.
Establishing clear processes for handling personal information not only helps your business meet legal requirements, but also demonstrates a commitment to transparency and accountability. These steps support responsible business operations while fostering long-term trust with your customers.