Personal information is any information that can identify a person, from someone's name and address to their device identifier and account number.
Personal information, also called personal data, is any information that relates to a specific person. Some of the most obvious examples of personal information include someone's name, mailing address, email address, phone number, and medical records (if they can be used to identify the person). In addition, some privacy frameworks consider anything that can help determine someone's identity, such as online identifiers or Internet browsing history, to be personal information.
Internet technology has made personal data collection more widespread than ever before. Today, personal information is stored in a variety of places. For instance, web applications, social media platforms, ad networks, employers, or healthcare providers all might have data about a given person stored in digital form on servers all over the world. This has important implications for data privacy, as people may have less control over who can see their personal information than they want.
There are several legal definitions of "personal information" and "personal data" under various types of privacy legislation. This article includes definitions from the GDPR and the CCPA, which are two crucial pieces of modern-day privacy legislation especially for businesses that operate in the US and the EU. However, regulations in countries around the world have their own definitions.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to EU residents' data. It considers personal data to be any information related to a natural identifiable person. This includes anything that could be used to identify someone, including pseudonymized data and certain cookie identifiers associated with a web browsing session. The GDPR states:
"'[P]ersonal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
The California Consumer Privacy Act (CCPA) applies to businesses that collect data about residents of the US state of California. The CCPA defines personal information in this way:
"'Personal information' means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The CCPA goes on to list many types of personal information, including IP address, biometric information, Internet browsing history, and others. Find the complete list in the California Consumer Privacy Act, section 1798.140.
Personally identifiable information (PII) is another term for personal information. The term is more common in the US, where there are several definitions for it. European legislation such as the GDPR tends to use the term "personal data" instead of PII.
Many data protection legal frameworks limit the amount of personal information that a business can collect. If a business does have to collect or store personal information in order to function, it needs to take sufficient precautions to keep that data secure and private.
Some of the most important steps for protecting personal information include:
Additional steps are listed in the Fair Information Practices, a commonly referenced set of data privacy principles.
There are several steps individuals can take to make sure their information stays as secure and private as possible.
Use strong passwords and two-factor authentication: Users should avoid reusing passwords or using weak passwords that can be easily guessed. In addition, two-factor authentication (2FA) makes online accounts much more secure.
Look for warrant canaries: Check a service's warrant canaries to see if they have changed their policies on sharing information with government entities.
Opt out of information sharing: Under the CCPA, California residents have to be given the option to opt out of the sale of their personal information. Doing so helps limit the number of third parties that will see their data.
Control cookie usage: Some browser cookies are necessary for websites to function properly, but blocking unnecessary cookies when possible helps limit the number of third parties that are tracking a person's online activities.
Use end-to-end encryption: End-to-end encryption ensures that messages remain private from everyone, including the messaging service. Learn more about end-to-end encryption.
Use secure, privacy-focused DNS: DNS resolvers sometimes track which domains a person visits, often in order to sell this information to advertisers. A privacy-focused DNS resolver, like 126.96.36.199, helps people keep their browsing history protected from prying eyes.