What Does Personal Data Refer To? A Legal Guide
Learn what personal data refers to under GDPR, CCPA, and other privacy laws, with examples, categories, and compliance obligations.
What does personal data refer to in the context of privacy law? Personal data is any information that relates to an identified or identifiable living person. This definition, established in the GDPR and echoed in privacy laws worldwide, is broader than most people expect and forms the foundation of nearly every compliance obligation your organization faces.
This article provides educational information about data privacy concepts and should not be treated as legal advice. Privacy regulations vary by jurisdiction and evolve frequently, so consult a qualified attorney for guidance tailored to your situation.
The Legal Definition of Personal Data
The GDPR provides the most widely referenced definition. Article 4(1) of the General Data Protection Regulation defines personal data as "any information relating to an identified or identifiable natural person." An identifiable natural person is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
Three elements make this definition significant:
- "Any information" means there is no restriction on the format. Text, images, audio recordings, biometric scans, and behavioral data all qualify.
- "Relating to" means the information must have a connection to the person, whether by content (it describes them), purpose (it is used to evaluate or affect them), or result (its processing impacts them).
- "Identified or identifiable" means that even if you do not know someone's name, data that could lead to their identification through any reasonably likely means is personal data.
Other major privacy laws use similar but not identical definitions. The California Consumer Privacy Act (CCPA), as amended by the CPRA, uses the term "personal information" and defines it as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
What Does Personal Data Refer To in Practice?
Understanding what qualifies as personal data requires looking beyond obvious identifiers. Here are the main categories with examples.
Direct identifiers
Direct identifiers allow immediate identification of a specific person:
- Full name
- Email address
- Phone number
- Social security number or national ID number
- Passport or driver's license number
- Photograph of a person's face
Indirect identifiers
Indirect identifiers do not identify someone on their own but can do so when combined with other data:
- IP address (confirmed as personal data by the CJEU in Breyer v. Germany, Case C-582/14)
- Device identifiers (IDFA, GAID, MAC addresses)
- Cookie identifiers and tracking pixels
- Location data (GPS coordinates, cell tower data)
- Employee ID numbers
- Pseudonymized records (where a key to re-identification exists)
Behavioral and inferred data
Modern privacy law recognizes that patterns of behavior can identify individuals:
- Browsing history and search queries
- Purchase history and transaction records
- App usage patterns
- Content preferences and interaction history
- Inferred interests, demographics, or credit scores derived from other data
Sensitive categories of personal data
The GDPR designates certain types of personal data as "special categories" under Article 9, requiring additional protections:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data used for identification
- Health data
- Data concerning sex life or sexual orientation
Processing special category data requires both a lawful basis under Article 6 and a specific condition under Article 9, such as explicit consent or a substantial public interest ground.
How Different Privacy Laws Define Personal Data
While the core concept is consistent, the precise boundaries vary across jurisdictions. Understanding these differences matters if your website or service reaches users in multiple regions.
GDPR (European Union and EEA)
The GDPR's definition is intentionally broad and technology-neutral. The European Data Protection Board (EDPB) has confirmed that online identifiers, location data, and even data that is only "potentially" linkable to a person can qualify. The GDPR applies to living natural persons only, not to deceased individuals or legal entities (though some member states extend protection to deceased persons).
CCPA/CPRA (California)
The CCPA defines personal information to include "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The household-level scope is unique to California law and means that data about a shared device or address can qualify even without identifying a specific person. Penalties for violations range from $2,500 per unintentional violation to $7,500 per intentional violation.
Other US state laws
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other state privacy laws generally define personal data as information linked or reasonably linkable to an identified or identifiable individual. Most exclude publicly available information and de-identified data, though the standards for de-identification vary.
Brazil (LGPD)
Brazil's General Data Protection Law defines personal data as information relating to an identified or identifiable natural person, closely mirroring the GDPR. It also recognizes sensitive personal data as a distinct category requiring heightened protections.
What Personal Data Does NOT Include
Understanding the boundaries of personal data is just as important as understanding what it covers.
Truly anonymized data. If data has been processed so that re-identification is not reasonably possible by any party, it is no longer personal data under the GDPR. However, regulators set a high bar for anonymization. Pseudonymized data, where the original identifiers are replaced but a re-identification key exists, remains personal data.
Data about legal entities. A company's registered address, tax ID, or general contact email (like [email protected]) is generally not personal data. However, a sole trader's business address or a named employee's work email is personal data.
Data about deceased persons. Under the GDPR, personal data protections apply only to living individuals. Some national laws extend limited protections to data of deceased persons.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowAggregated statistical data. Genuinely aggregated data that cannot be disaggregated to identify individuals is not personal data. The key test is whether the aggregation is truly irreversible.
Why the Definition of Personal Data Matters for Your Website
If your website collects any information that falls within these definitions, you have compliance obligations. For most websites, personal data collection starts the moment a visitor lands on a page.
Common collection points
Most websites collect personal data through:
- Contact forms and account registration (names, email addresses)
- Analytics tools like Google Analytics (IP addresses, device data, browsing behavior)
- Cookies and tracking technologies (cookie IDs, advertising identifiers)
- Payment processing (billing addresses, payment card details)
- Newsletter signups (email addresses, preferences)
- Comment sections and user-generated content
Compliance obligations triggered
Once you collect personal data, major privacy laws require you to:
- Inform individuals about what data you collect, why, and how you use it, typically through a privacy policy
- Establish a lawful basis for processing (under the GDPR, this is one of six bases in Article 6)
- Implement appropriate security measures to protect the data
- Respond to individual rights requests (access, deletion, correction, portability)
- Restrict international data transfers to jurisdictions without adequate protections unless safeguards are in place
A privacy policy generator can help you create a compliant privacy notice that discloses the categories of personal data you collect and the purposes for which you process it. For cookie-related data collection, pairing your privacy policy with a cookie policy generator ensures you accurately describe the tracking technologies on your site.
Personal Data and Consent Requirements
Not all personal data processing requires consent. Under the GDPR, consent is one of six lawful bases in Article 6, alongside contractual necessity, legal obligation, vital interests, public task, and legitimate interests.
However, consent is required in specific situations:
- Cookies and tracking. The ePrivacy Directive (as interpreted by the CJEU in Planet49, Case C-673/17) requires prior, informed consent for non-essential cookies. This applies to analytics cookies, advertising pixels, and social media embeds.
- Marketing communications. Most jurisdictions require opt-in consent for commercial emails and texts.
- Special category data. Processing sensitive personal data under the GDPR typically requires explicit consent unless another Article 9 condition applies.
When consent is your lawful basis, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not qualify. Consent must be as easy to withdraw as it was to give.
TermsBox's compliance tools, including the website scanner and cookie consent banner, can help identify what personal data your site collects through cookies and third-party scripts and present compliant consent options to visitors.
How to Protect the Personal Data You Collect
Collecting personal data creates a duty to protect it. Article 32 of the GDPR requires "appropriate technical and organisational measures" proportionate to the risk. While the specific measures depend on your context, baseline protections include:
- Encryption for data in transit (TLS 1.2 or higher) and at rest
- Access controls limiting who can view or modify personal data
- Regular backups with tested recovery procedures
- Retention limits so personal data is not kept longer than necessary
- Vendor due diligence ensuring processors meet equivalent security standards
- Incident response procedures for detecting and reporting breaches (within 72 hours to supervisory authorities under GDPR Article 33)
Your privacy policy and terms of service should accurately reflect the security measures you have in place. Promising protections you do not actually implement creates both legal liability and regulatory risk.
Frequently Asked Questions
What does personal data refer to under the GDPR?
Under Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person. This includes direct identifiers like names and email addresses, as well as indirect identifiers like IP addresses, cookie IDs, and location data that can be combined to identify someone.
Is an IP address considered personal data?
Yes. The Court of Justice of the European Union ruled in Breyer v. Germany (Case C-582/14) that even dynamic IP addresses qualify as personal data when the data controller has lawful means to identify the individual. Under the CCPA, IP addresses are explicitly listed as personal information.
What is the difference between personal data and sensitive personal data?
Personal data is any information that identifies or can identify a person. Sensitive personal data (called special category data under GDPR Article 9) includes racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data, sexual orientation, and trade union membership. Sensitive data requires stronger legal grounds and additional safeguards for processing.
Does anonymized data count as personal data?
Truly anonymized data, where re-identification is not reasonably possible, falls outside the scope of the GDPR and most privacy laws. However, pseudonymized data (where identifiers are replaced but re-identification remains possible with additional information) is still personal data. Regulators scrutinize anonymization claims closely, and weak anonymization has been challenged in enforcement actions.