What Is Personal Data Under Privacy Law? A Practical Guide
What counts as personal data under GDPR, CCPA, and other privacy laws. Categories, examples, and why it matters for DSARs and compliance.
Last updated: 2026-03-05
What Counts as Personal Data?
If you collect email addresses, process payments, or employ staff, you hold personal data. That much is obvious. What is less obvious is how far the definition stretches under modern privacy laws — and getting the scope wrong is one of the most common compliance mistakes businesses make.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
This guide explains what personal data means under the GDPR, CCPA, PIPEDA, and UK GDPR, how the definitions differ, what categories exist, and why it matters every time someone sends you a data subject access request.
The Core Idea
Every major privacy law starts from the same principle: personal data is any information that relates to an identifiable individual. If you can use a piece of information — alone or combined with other data you hold — to figure out who someone is, it is personal data.
The exact wording varies by jurisdiction, but the practical effect is the same. The scope is broad, and it is meant to be.
How Each Law Defines Personal Data
GDPR (EU) — "Personal Data"
The General Data Protection Regulation defines personal data in Article 4(1):
'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Key points:
- "Any information" — there is no restriction on the type or format of data. Text, images, audio recordings, metadata, biometric data — it all counts.
- "Relating to" — the data does not need to contain the person's name. It just needs to relate to them.
- "Identified or identifiable" — if you can identify the person, even indirectly, the data is personal data. An IP address, a cookie ID, or a customer reference number can all be personal data if they can be linked back to someone.
- "Natural person" — only living individuals. Data about companies is not personal data under GDPR (though data about the individuals within those companies is).
CCPA (California) — "Personal Information"
The California Consumer Privacy Act uses the term "personal information" rather than "personal data." Section 1798.140(v) defines it as:
information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Key differences from GDPR:
- Household data is included — CCPA explicitly covers information linked to a household, not just an individual. A household's electricity consumption or purchasing patterns could qualify.
- "Reasonably capable of being associated" — the standard is what is reasonably possible, not what is theoretically possible. If linking the data to a person would require extraordinary effort, it may not qualify.
- "Consumer" — CCPA applies to California residents. The term "consumer" is broader than you might expect; it includes employees, job applicants, and business contacts in addition to customers.
- Broader enumeration — the CCPA includes a detailed list of categories: real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver's license number, passport number, and more. It also explicitly includes commercial information, biometric information, internet activity, geolocation data, audio/visual data, professional information, education information, and inferences drawn from any of these.
PIPEDA (Canada) — "Personal Information"
Canada's Personal Information Protection and Electronic Documents Act defines personal information as:
information about an identifiable individual.
This is deliberately broad. PIPEDA does not provide an exhaustive list, but the Office of the Privacy Commissioner of Canada has clarified that it includes any factual or subjective information, recorded or not, about an identifiable individual. Examples include age, name, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit records, loan records, medical records, and the existence of a dispute between a consumer and a merchant.
Key points:
- "About" — the data must be about the individual, not merely in their possession.
- "Identifiable individual" — the individual does not need to be named, but must be identifiable.
- Business contact information — PIPEDA excludes the name, title, business address, and business telephone number of an employee of an organization when collected, used, or disclosed for the purpose of communicating with that individual in relation to their employment or profession. This is a notable carve-out that GDPR does not provide.
UK GDPR — Same as EU GDPR
The UK retained the GDPR definition after Brexit. The UK GDPR and Data Protection Act 2018 use the same Article 4(1) definition. Practically, if data is personal data under EU GDPR, it is personal data under UK GDPR.
Terminology: Personal Data vs PII vs Personal Information
Different jurisdictions use different terms, and they do not mean exactly the same thing:
| Term | Used By | Scope |
|---|---|---|
| Personal data | GDPR (EU and UK) | Any information relating to an identified or identifiable natural person. Very broad. |
| Personal information | CCPA (California), PIPEDA (Canada), Australian Privacy Act | Information that identifies, relates to, or could be linked to an individual (CCPA also includes households). Comparably broad. |
| Personally identifiable information (PII) | US federal agencies (NIST), HIPAA context | Information that can be used to distinguish or trace an individual's identity. Historically narrower — focused on direct identifiers like SSN and name. |
The practical takeaway: "PII" is the narrowest concept, and businesses that think only in terms of PII tend to underestimate the scope of their obligations under GDPR and CCPA. If you are subject to GDPR or CCPA, think in terms of "personal data" or "personal information" — not PII.
Categories of Personal Data
Personal data falls into several broad categories. Understanding these categories helps you scope DSAR searches, build data inventories, and identify what needs protection.
Basic Identifiers
These are the obvious ones:
- Full name
- Email address (personal or work)
- Phone number
- Physical address
- Date of birth
- National identification numbers (Social Security, National Insurance, SIN, etc.)
- Passport or driver's license number
Online Identifiers
Less obvious, but equally covered:
- IP addresses
- Cookie identifiers and device IDs
- Advertising IDs (IDFA, GAID)
- Login credentials and usernames
- Social media handles
- Browser fingerprint data
- Location data from mobile devices
Financial and Transactional Data
- Bank account and payment card details
- Transaction history and purchase records
- Credit scores and credit history
- Salary and income information
- Tax records
Professional and Employment Data
- Job title and employer
- CV / resume data
- Performance reviews and disciplinary records
- Employment history
- Professional qualifications
Behavioral and Preference Data
- Website browsing history
- Search queries
- Purchase preferences
- Marketing preferences and consent records
- App usage data
Sensitive / Special Category Data
This is the category that carries the highest obligations. Under GDPR Article 9, "special categories of personal data" include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (when used for identification)
- Health data
- Sex life or sexual orientation
Processing special category data is prohibited unless a specific exception applies (explicit consent, employment law obligations, vital interests, etc.). Under GDPR Article 10, criminal conviction and offence data also receives additional protection.
CCPA has its own concept of "sensitive personal information" (added by CPRA), which includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, the contents of mail/email/text messages, genetic data, biometric data, health information, and sex life or sexual orientation. Consumers have the right to limit the use and disclosure of sensitive personal information.
What IS and What IS NOT Personal Data
| Personal Data (IS) | Not Personal Data (IS NOT) |
|---|---|
| Name and email address of a customer | Truly anonymized statistical data (e.g., '42% of users prefer dark mode') |
| IP address logged by your web server | Data about a deceased person (under GDPR — some laws differ) |
| Employee performance review | Aggregated, non-identifiable business metrics |
| CCTV footage showing identifiable individuals | Data about a legal entity (a company), not about individuals |
| Cookie ID linked to browsing behavior | Genuinely anonymized data where re-identification is not reasonably possible |
| Customer reference number (if linkable to a person) | Business contact information used solely to contact someone in their professional capacity (under PIPEDA only) |
| Voice recording of a support call | Information about fictional characters |
| Photo of a person | Weather data, stock prices, or other non-personal facts |
Important caveat about anonymization: data is only truly anonymized if there is no reasonable way to re-identify the individual. If you strip names but keep enough other data points that someone could be re-identified (age + postcode + job title, for example), the data is pseudonymized, not anonymized — and pseudonymized data is still personal data.
Pseudonymized vs Anonymized Data
This distinction catches out a lot of businesses.
Pseudonymized Data
Pseudonymization replaces direct identifiers (like names) with codes or tokens, while keeping a separate key that allows re-identification. The GDPR defines it in Article 4(5) and explicitly states that pseudonymized data is still personal data because the individual can be re-identified using the key.
Examples:
- Replacing customer names with reference numbers, but keeping a lookup table
- Hashing email addresses, but retaining the ability to match hashes to known addresses
- Replacing names in a dataset with random codes, but keeping the mapping
Pseudonymization is encouraged by GDPR as a security measure (it reduces risk if data is breached), but it does not take data outside the scope of the regulation.
Anonymized Data
Anonymized data has been processed so that the individual cannot be identified by any means reasonably likely to be used. Truly anonymized data is not personal data under GDPR and falls outside the regulation entirely.
Achieving true anonymization is harder than most businesses assume. The UK's Information Commissioner's Office (ICO) has published guidance noting that anonymization is not a binary state — it is a spectrum of risk. If there is a reasonable likelihood of re-identification, the data is not anonymized.
The key question: could someone, using the data you release plus any other data reasonably available to them, identify an individual? If yes, the data is not anonymized.
Why Personal Data Definitions Matter for DSARs
When someone submits a DSAR, you need to search for and return all personal data you hold about them. Getting the definition of personal data wrong means one of two things:
Too Narrow = Incomplete Response
If you think personal data is limited to names and email addresses, you will miss:
- Internal notes and opinions about the person
- Their browsing behavior on your website
- Correspondence where they are mentioned but not the sender
- Data held by third-party processors on your behalf
An incomplete DSAR response is a compliance failure. If the individual complains to a supervisory authority, you may face enforcement action.
Too Broad = Unnecessary Work
If you interpret personal data too broadly, you waste time searching for and redacting data that was never in scope. This is less risky than being too narrow, but it increases cost and response time.
The practical approach: be thorough but reasonable. Use your data inventory to identify all systems where the person's data might exist, search those systems, and include any data that relates to the identifiable individual. When in doubt, include it — over-disclosure is almost always preferable to under-disclosure.
Common Mistakes Businesses Make
1. Thinking Business Email Addresses Are Not Personal Data
Under GDPR and UK GDPR, a business email address like "jane.smith@company.com" is personal data because it identifies a specific individual. PIPEDA carves out business contact information used for professional purposes, but this exception does not exist under GDPR.
If you hold employee email addresses for companies you work with, that data is in scope for DSARs and subject to all the usual data protection obligations.
2. Thinking Data "About" Someone Is Not Personal Data if Their Name Is Not Attached
Internal notes like "the customer who complained last Tuesday about the delivery to 42 Oak Street" are personal data if the individual is identifiable from the information, even without a name. Context matters. If your team could figure out who it refers to, it is personal data.
3. Assuming Anonymization Is Easy
Many businesses believe they have anonymized data when they have only pseudonymized it. Removing names but keeping dates of birth, postcodes, and purchase histories does not anonymize data — it is often trivially re-identifiable. True anonymization requires careful statistical analysis and, in many cases, significant data degradation.
4. Ignoring Data Held by Third Parties
If you use a CRM, email marketing tool, cloud storage provider, or any other third-party service, they hold personal data on your behalf. This data is in scope for DSARs. You remain responsible for it as the data controller, and you need to be able to search and retrieve it.
5. Forgetting About Unstructured Data
Personal data does not only live in databases. It exists in emails, documents, spreadsheets, chat messages, voice recordings, handwritten notes, and CCTV footage. A thorough DSAR search needs to cover unstructured data as well as structured systems.
6. Overlooking Inferred or Derived Data
Under CCPA, "inferences drawn" from personal information to create a consumer profile are themselves personal information. If you use data to infer someone's preferences, purchasing behavior, or characteristics, those inferences are personal data.
A Practical Checklist
Use this checklist to determine whether data you hold qualifies as personal data:
- Does the data relate to a living individual? If it is about a company (not an individual within the company) or a deceased person (under GDPR), it is likely not personal data.
- Can you identify the individual from the data alone? Names, email addresses, photos — these directly identify someone.
- Can you identify the individual by combining the data with other information you hold? Customer reference numbers, IP addresses, pseudonymized data — these indirectly identify someone when cross-referenced.
- Could someone else reasonably re-identify the individual? Even if you cannot identify them, if someone else could (using publicly available data, for example), the data may still be personal data.
- Is the data about their physical, physiological, genetic, mental, economic, cultural, or social identity? If yes, it is almost certainly personal data under GDPR.
- Does it fall into a special category? Health, biometrics, race, religion, sexual orientation, political opinions, trade union membership — these carry additional obligations.
If you answer "yes" to any of questions 2 through 5, you are almost certainly dealing with personal data.
References
- General Data Protection Regulation (GDPR): Article 4(1) — definition of personal data; Article 9 — special categories of personal data; Article 4(5) — pseudonymization. GDPR Article 4 | GDPR Article 9
- California Consumer Privacy Act (CCPA): Cal. Civ. Code § 1798.140(v) — definition of personal information; § 1798.121 — consumers' right to limit use of sensitive personal information. CCPA full text
- PIPEDA: Section 2(1) — definition of personal information. PIPEDA full text
- UK GDPR / Data Protection Act 2018: Definition mirrors EU GDPR Article 4(1). ICO guidance on personal data
Last reviewed: March 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.