What is personal information? | Personal data

Personal information is any information that can identify a person, from someone's name and address to their device identifier and account number.

Learning Objectives

After reading this article you will be able to:

  • Explain the legal definitions for 'personal data' and 'personal information'
  • Understand how personal information collection affects privacy
  • Explore various methods for protecting personal information

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is personal information or personal data?

Personal information, also called personal data, is any information that relates to a specific person. Some of the most obvious examples of personal information include someone's name, mailing address, email address, phone number, and medical records (if they can be used to identify the person). In addition, some privacy frameworks consider anything that can help determine someone's identity, such as online identifiers or Internet browsing history, to be personal information.

Internet technology has made personal data collection more widespread than ever before. Today, personal information is stored in a variety of places. For instance, web applications, social media platforms, ad networks, employers, or healthcare providers all might have data about a given person stored in digital form on servers all over the world. This has important implications for data privacy, as people may have less control over who can see their personal information than they want.

There are several legal definitions of "personal information" and "personal data" under various types of privacy legislation. This article includes definitions from the GDPR and the CCPA, which are two crucial pieces of modern-day privacy legislation especially for businesses that operate in the US and the EU. However, regulations in countries around the world have their own definitions.

What is the GDPR definition for 'personal data'?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to EU residents' data. It considers personal data to be any information related to a natural identifiable person. This includes anything that could be used to identify someone, including pseudonymized data and certain cookie identifiers associated with a web browsing session. The GDPR states:

"'[P]ersonal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

How does the CCPA define 'personal information'?

The California Consumer Privacy Act (CCPA) applies to businesses that collect data about residents of the US state of California. The CCPA defines personal information in this way:

"'Personal information' means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

The CCPA goes on to list many types of personal information, including IP address, biometric information, Internet browsing history, and others. Find the complete list in the California Consumer Privacy Act, section 1798.140.

What is PII (personally identifiable information)?

Personally identifiable information (PII) is another term for personal information. The term is more common in the US, where there are several definitions for it. European legislation such as the GDPR tends to use the term "personal data" instead of PII.

How should businesses protect personal information?

Many data protection legal frameworks limit the amount of personal information that a business can collect. If a business does have to collect or store personal information in order to function, it needs to take sufficient precautions to keep that data secure and private.

Some of the most important steps for protecting personal information include:

  • Limiting data collection and retention. Data should not be retained longer than necessary, since the more data a company possesses, the greater the potential impact of a data breach.
  • Securing data from potential breaches. One of the most important technologies for securing data is encryption; organizations can take a number of other steps as well to protect their systems, from using firewalls to using secure web gateways.
  • Limiting internal access with access control. Access control ensures that only authorized parties access systems and data. Unauthorized access can result in a data breach or privacy violation.
  • Prioritizing privacy. Businesses should build security and privacy into their services both to avoid violating privacy regulations and to protect their customers.

Additional steps are listed in the Fair Information Practices, a commonly referenced set of data privacy principles.

What are some of the ways people can protect their personal information?

There are several steps individuals can take to make sure their information stays as secure and private as possible.

Use HTTPS websites only: Avoid websites that do not use TLS encryption to protect data going to and from their servers. Such websites use HTTP instead of HTTPS.

Review Terms of Service and Privacy Policy: These are important for understanding how much personal information a website or application collects, and what happens to that personal information.

Use strong passwords and two-factor authentication: Users should avoid reusing passwords or using weak passwords that can be easily guessed. In addition, two-factor authentication (2FA) makes online accounts much more secure.

Look for warrant canaries: Check a service's warrant canaries to see if they have changed their policies on sharing information with government entities.

Opt out of information sharing: Under the CCPA, California residents have to be given the option to opt out of the sale of their personal information. Doing so helps limit the number of third parties that will see their data.

Control cookie usage: Some browser cookies are necessary for websites to function properly, but blocking unnecessary cookies when possible helps limit the number of third parties that are tracking a person's online activities.

Use end-to-end encryption: End-to-end encryption ensures that messages remain private from everyone, including the messaging service. Learn more about end-to-end encryption.

Use secure, privacy-focused DNS: DNS resolvers sometimes track which domains a person visits, often in order to sell this information to advertisers. A privacy-focused DNS resolver, like, helps people keep their browsing history protected from prying eyes.