Private Information
🔞 ALL INFORMATION CLICK HERE 👈🏻👈🏻👈🏻
Private Information
By Joseph J. Lazzarotti on December 30, 2019
When privacy geeks talk “privacy,” it is not uncommon for them to use certain terms interchangeably –personal data, personal information, personally identifiable information, private information, individually identifiable information, protected health information, or individually identifiable health information. They might even speak in acronyms – PI, PII, PHI, NPI, etc. Blurring those distinctions might be OK for casual conversation, but as organizations develop data privacy and security compliance programs, the meanings of these terms can have significant consequences. A good example exists within the California Consumer Privacy Act (“CCPA”) and its interaction with other laws.
The CCPA, effective January 1, 2020, contains an expansive definition of “personal information.” See Cal. Civ. Code Sec. 1798.140(o) . The basic definition is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition goes on to enumerate, without limitation, certain categories of information (e.g., identifiers, website activity, biometric information, geolocation) if they identify, relate to, describe, are reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. With respect to this broad set of data, the CCPA extends to California consumers substantial rights, including the right to request deletion of that data or to opt-out of its sale.
The CCPA’s private right of action for data breaches, however, applies to a much narrower subset of “personal information” defined above. Specifically, the CCPA incorporates another section of California law, Cal. Civ. Code Sec. 1798.81.5(d)(1)(A) , to define personal information that, if breached, and which the owner failed to reasonably safeguard, could expose the owner to statutory damages of up to $750 per person. For this purpose, personal information means:
An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:
(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.
Note also that the CCPA excludes certain information from its general definition of personal information, such as “ protected health information ” maintained by covered entities and business associates under the Health Insurance Portability and Accountability Act (“HIPAA”).
But the PI, PII, PHI…conundrum does not end with the CCPA. An organization with CCPA obligations also may maintain “private information” of New York residents. Under the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), that organization would have to adopt reasonable safeguards to protect “private information” which is defined to mean, in general, any information concerning a natural person which, because of an identifier, can be used to identify such natural person if it is in combination with any one or more of the following data elements:
Private information also includes a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
Confused yet? Perhaps your organization is not subject to the CCPA or the NY SHIELD Act, but you own and operate a website that collects personal information from consumers who reside in California and Delaware. Laws in those states require a website private policy that describes certain practices concerning “personally identifiable information” defined in Delaware to mean:
any personally identifiable information…collected online by the operator…from that user…including a first and last name, a physical address, an e-mail address, a telephone number, a Social Security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator…from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph.
A similar definition exists under the California law . These distinctions just scratch the surface and add to the complexity of the emerging patchwork of data privacy and security law in the United States.
So, when thinking about personal information, it is important to remember that not only does the definition extend beyond just one’s name and social security number, but the term itself and its definition likely will differ depending on the particular statutes or regulations you are analyzing. When assessing an organization’s threats and vulnerabilities to personal information, or preparing policies and procedures to safeguard it, be sure to develop an appropriate definition that takes into account the necessary elements of data.
Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…
Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.
In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.
Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:
Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:
Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post , Inside Counsel , Bloomberg , The National Law Journal , Financial Times , Business Insurance , HR Magazine and NPR , as well as the ABA Journal , The American Lawyer , Law360 , Bender’s Labor and Employment Bulletin , the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.
Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.
Jackson Lewis P.C. is a law firm with more than 900 attorneys in major cities nationwide serving clients across a wide range of practices and industries. Having built its reputation on providing premier workplace law representation to management, the firm has grown to include leading practices in the areas of government relations, healthcare and sports law. Named the “Innovative Law Firm of the Year” by the International Legal Technology Association, the firm’s commitment to client service and depth of expertise draws clients to Jackson Lewis for excellent value-driven legal advice.
Home
Blog
What is Personal Information Under Privacy Laws
Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Your business probably collects, stores, and shares personal information every day. This means you're subject to legal obligations that you might not even be aware of.
It's essential to understand what personal information your company uses and holds . Thus, the starting point for complying with many important laws and avoiding some very severe penalties is to understand what laws mean when they refer to "personal information."
This article will help break down the definition of this key term in a number of different privacy laws.
It's not possible to provide an exhaustive list of all the different types of personal information. But it is helpful to consider some examples.
Different laws define personal information in different ways. We're going to look at lots of different types of information, but note that not every privacy law will consider every example to be "personal information." We'll look at some individual privacy laws later in the article .
We'll call the first type of personal information "contact details." These are the types of information you might use to get in touch with a person, such as:
A person's full name is probably the most obvious example of personal information. But in fact, even a person's first name alone can represent personal information.
It's all about context . For example, the first name "Robert":
Although ID numbers appear to be a string of random digits, they can also qualify as personal information.
Not every ID number is personal information . For example, in the United States:
The more an online advertiser knows about people, the better its product targeting will be. This rampant collection of personal information is why privacy law is so important right now.
When a user visits a website within an online advertiser's network, the advertiser will install tracking software on the users' device (e.g. a "cookie"). This tracking software records which websites the user visits, what they're searching for, and sometimes where they're located .
It's not hard to see why regulators and legislators have taken an interest in this sort of business activity. A person's internet activity can reveal a lot about them .
Types of online and technical information that might count as personal information include:
It's important to remember that not all of these types of information are considered personal information in every context, or under all privacy laws.
A typical business can process online and technical identifiers in several ways:
Some personal information is objective. A customer might provide your company with their name, address, or IP address. You might ask them for it, you might receive it from someone else, or you might acquire it through the ways they have interacted with your services.
It's also possible to generate subjective personal information about someone. For example:
This is a contentious area, but it's important to consider whether you hold this kind of information. If you can link any information to a living individual , it could be personal information.
Under certain privacy laws, you'll need to provide access to all the personal information you hold about a person at their request. This might make you think twice before sending an email about someone or making a note on their file.
It's good practice to disguise personal information in your possession, in case it's lost or stolen. It's important to distinguish between three types of disguised data:
Under many privacy laws, encrypted and pseudonymized data is still considered personal information .
Therefore, even if you're taking great care to disguise personal information, you must still store it securely . You must also securely store any key or additional information that could be used to link the data to an individual.
Anonymized data is not personal information . But remember - true anonymization cannot be reversed .
Some personal information is more sensitive than other types. Many privacy laws recognize a category of personal information that must be treated especially carefully .
Different laws have different concepts of what constitutes sensitive information . Typical examples include information about:
Some laws require that you only process sensitive information with consent. Some laws require that you take specific action in the event of a data breach involving sensitive information.
It's crucial that you know whether any of the personal information you hold should be treated as "sensitive."
Some more obscure types of data can represent personal information in some circumstances. For example:
Any of these data sets could be personal information if they can be linked to a living individual .
Start generating the necessary legal agreements for your website or app in minutes with TermsFeed.
We also offer different solutions and tools for your website or app:
No matter where your company operates, you'll be under some legal obligation to treat personal information with respect. But the extent of this obligation varies.
Stricter privacy laws have stronger rules about how companies store and provide access to personal information. They have bigger fines in place to deter violations. And they also define "personal information" in different ways .
The EU's strict data protection rules have been causing many businesses a headache for decades. This is particularly true since the General Data Protection Regulation ( GDPR ) passed.
Personal information is called "personal data" under EU law. The GDPR's definition of personal data is at Article 4(1) . Personal data is:
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier [...]"
The Article 29 Working Party , an EU data protection advisory body (now replaced by the EU Data Protection Board ) breaks down the definition of personal data into four parts :
All the examples of personal information we examined above are personal data under the GDPR .
Here's a great example of how broadly the GDPR defines personal data, taken from the Privacy Policy of Electrolux . Note section G, in particular:
Here, the operating data generated by an appliance such as motor power, opening of internal valves, water and energy consumption and other bits of information are disclosed as being "personal data" collected.
If a piece of information can tell you something about a person , even if you'd need extra information to work out who that person is, you should treat it as personal data under the GDPR.
The California Online Privacy Protection Act ( CalOPPA ) was the first law requiring commercial websites to display a Privacy Policy. Anyone with a commercial website accessible to consumers in California must comply with CalOPPA.
CalOPPA calls personal information " personally identifiable information ." Helpfully, CalOPPA lists the types of information it considers personally identifiable information:
This doesn't leave much room for interpretation.
CalOPPA requires website operators to disclose the types of personally identifiable information they collect , along with some other information about how they use such information.
Here's an example of a relevant part of Feel the Lean's Privacy Policy:
Including a clause like this in a Privacy Policy that you appropriately display is a huge part of satisfying CalOPPA requirements.
The California Consumer Privacy Act ( CCPA ) brings U.S. privacy law much closer to that of the EU. However, it mostly applies to large companies.
The CCPA's definition of personal information is heavily inspired by the GDPR's, but is arguably even broader :
"information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Canada's Personal Information Protection and Electronic Documents Act ( PIPEDA ) covers all private sector organizations operating in Canada.
Section 2 (1) of PIPEDA defines personal information as " information about an identifiable individual ."
PIPEDA doesn't provide any examples. However, Canada's privacy watchdog, the Office of the Privacy Commissioner clearly considers a wide variety of types of information to be personal information, including IP addresses and cookie data.
Australia's Privacy Act , and the all-important Australian Privacy Principles , govern the processing of personal information in Australia.
"'personal information' means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
The Office of the Australian Information Commissioner (OAIC) offers some guidance on how to interpret this definition. This guidance refers to " a broad range of information ", and includes specific examples such as a person's browsing history .
Note the word "reasonably" narrows the definition of personal information. The OAIC notes that:
"Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring , the information would not generally be regarded as 'personal information' ."
This implies a narrower definition of personal information than in some other places, such as the EU.
New, stricter privacy laws are being passed all over the world. The trend is towards more regulation, and a more expansive definition of personal information.
Our article on Cookie Consent Outside of the EU is a great resource if you want to know more about international privacy law.
Almost all businesses process a substantial amount of information as part of their everyday business practices. It's crucial to understand which data sets are "personal information" under relevant privacy laws and ensure that you're complying with the law when it comes to how you collect, share, store this information.
Many privacy laws define personal information as information about a living individual , But some laws interpret this more broadly than others.
Take a cautious approach to legal compliance, and always respect your customers' privacy.
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
Privacy and Data Protection Research Writer at TermsFeed
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
Disclaimer: Legal information is not legal advice, read the disclaimer . The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or will be formed by use of the site.
Sold and fulfilled by FastSpring - an authorized reseller. Bright Market (dba FastSpring), 801 Garden St., Santa Barbara, CA 93101, is the authorized reseller of our products and services on TermsFeed.com
Games & Quizzes
Thesaurus
Word of the Day
Features
Buying Guide
M-W Books
Join MWU
private detective
private eye
in private
Lingerie Sex Com
Sofie Marie Anal Penetration
Amateur Masturbate Porn