What is considered as personal data under GDPR?
October 7, 2021 • read ‘Personal Data’ has different legal definitions in the GDPR, CCPA in California, CDPA in Virginia, LGPD in Brazil and other regulations. Although personal data is sometimes used interchangeably with PII or personally
identifiable information, “personal data” in the GDPR refers to a more specific and strict definition with specific examples and therefore is different (broader) than the PII. Unfortunately for organizations, there is currently no global standard legal definition of personal data. While all regulations will follow a common approach, some frameworks are very specific and provide actual examples of personal data, while others are more vague and subject to interpretation. If your
organization operates in multiple jurisdictions, you will first need to understand the definitions under each regulation and which regulation(s) apply to the data you collect, use and store. This will allow you to answer questions such as: Below,
we will review the current definitions of personal data under key global data privacy and protection regulations. The CCPA established eleven categories of personal information and provided examples to illustrate most of these categories: The CCPA does not consider publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records as personal information. In addition, CCPA does
not consider personal data the data that has been pseudonymized and de-identified or aggregated and de-identified and because it cannot be reasonably linked to an individual. One of the key differences between the CCPA and GDPR is that GDPR is exclusive to the individual while the CCPA also includes information not only specific to an individual but also to a household. To read more about the official definition of personal data under the CCPA, click here to access the official text (Section 1798.140.(o)) The CPRA follows the definitions of “personal data” adopted in CCPA. However, the CPRA introduces specific categories of “sensitive data” defined as “personal information that
reveals: You can learn more about the new sensitive data categories under CPRA by clicking here (on page 23, 1798.140.(ae)). Under the
CDPA, the definition of “personal data” means “any information that is linked or reasonably linkable to an identified or identifiable natural person. ‘Personal data’ does not include “de-identified data or publicly available information” Unlike the CCPA, the CDPA does not provide examples of categories of personal information. Like CCPA, the definition in CDPA excludes any de-identified data and publicly available information. Publicly available information is defined as “information
that is from federal, state, or local government records”. In addition, the CDPA adds to its definition of publicly available “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.” Similar to the CPRA, the CDPA introduces the
definition of “sensitive data” which includes: You can access the definitions of personal and sensitive data under the CDPA by clicking here (59.1-571- Definitions). The definition of ‘Personal Data’ under the CPA is closely related to that of Virginia’s CDPA and states that “personal data means: As used in this subsection (17)(b), “publicly available information” means information that is lawfully made available from federal,
state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.” In addition, the Colorado CPA does not include data “maintained for employment records purposes.”. Similar to the CDPA and CPRA, the CPA defines sensitive data to “mean (a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or
sexual orientation, or citizenship or citizenship status, (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or (c) personal data from a known child.” To read more about the definitions of persona and sensitive data, please refer to the official text by clicking here (on page 8,
6-1-1303.(17) and on page 10, 6-1-1303.(24)). Under the GDPR, “Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person.” In addition, the European Commission clarified the above on its website via the Q&A section by mentioning that: Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly
anonymised, the anonymisation must be irreversible. The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to
the protection requirements set out in the GDPR. The website also lists examples of personal data under GDPR. These examples include:
As importantly, it also lists examples of what is not considered personal data. These examples are:
The GDPR also makes a clear distinction between personal data and sensitive data via the “Special Categories”. The Special Category include:
The processing of special category data is prohibited unless:
To access more information about the data in scope under GDPR, please refer to the official GDPR website (Article 4 – Definitions and Article 9 – Processing of special categories of personal data) ConclusionAs you can see, the definitions of personal data vary from one privacy regime to the next. Make sure you have a good understanding of these legal definitions before you work on your data inventory and data mapping initiatives. This is the foundational step of any robust privacy program. To compare the definitions of “Personal Data” and “Sensitive Data” side-by-side for all these regulations and others such as China’s PIPL, Canada’s PIPEDA, or Brazil’s LGPD, please check our Interactive Privacy Table. Suggested ArticlesWhen companies discovered that the use of a pixel that shares data directly between your website and a social media platform is a sale of data from a regulatory perspective in California, it caught our attention. The increasingly complicated state of privacy compliance understanding and implementation is challenging to say the least. Among the sea of change we have worked
through in the last several years, one very small, but very important part, is the expanding scope of what defines a “sale” of data which is of vital importance to marketing teams. WireWheel CEO Justin Antonipillai was joined by IAB Tech Lab EVP and General Counsel Michael Hahn and Davis+Gilbert LLP Partner Gary Kibel to discuss the ramifications of California Privacy and the Expanding
Scope of What is a “Sale” of Data, and the marketing challenges it portends. If companies make consumer personal information available to third-parties and receive a benefit from the arrangement—such as in the form of ads targeting specific consumers—they are deemed to be “selling” consumer personal information under the law. —California AG – Sephora complaint “Everyone is talking about the
Sephora action. It is an important action, not just on its merits, but also as it is the first publicly announced enforcement action out of California,” Davis+Gilbert’s Kibel. He notes that the complaint, among other concerns (including the use of not legally defined buzzwords like ‘surveillance’), focused on two major
issues: 1. Pixels from a third-party provider are on a publisher’s site: Is that a sale of personal information under the CCPA? Or are you in a service provider relationship? Firstly, opines Kibel, “they were talking about the fact that there could be sensitive data that’s being collected. And If companies make consumer personal information available to third-parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers
– they are deemed to be selling consumer personal information under the law.” That said, “if you have a pixel from a third-party provider on your website, and for free, you get great analytics, and in exchange, the provider can use the data generated on the publisher’s site for their own benefit, that may be a sale of personal information.” This then requires providing the consumer the ability to opt-out. If you are deemed to be selling personal information. You
must have a link on the homepage of the website with these six exact words: “Do not sell my personal information.” —Gary Kibel, Davis+Gilbert LLP “There are two avenues here,” Kibel explains: “You can either deem to be selling personal information to a third-party, or you could be in a service provider relationship with that pixel provider. However, if you want a service provider relationship, there needs to be a written contract with that provider restricting the way that they’re going to use the personal information.” 2. Compliance with global privacy control (GPC) signals that are automatically sent by a user’s browser to a publisher’s site. “As many of us know, there is not a single mention of opt-out preference signals or global privacy controls in the CCPA law but was introduced in the CCPA regulations.” The CPRA (effective January 1, 2023) directly addresses opt-out preference signals at length in the regulations (in draft form) “and makes very clear that you have to honor global privacy controls and opt-out preference signals. However, the Sephora action made it clear that the California AG said, no, you need to be honoring GPC signals now.”
Devising GPC signals and third-party contracts“One of the important things that you need to do under any privacy law is you need to communicate the consumers privacy elections to the other participants who receive the personal information in a manner that complies with state law,” says IAB’s Hahn. As a function of technology, the IAB is designing the schematic for this communication ‘plumbing’. “The IAB Legal Affairs Council asked, ‘What do we need to communicate to lawfully process a digital advertising transaction?’ and gave these requirements to the engineers in the Tech Lab and their working groups to translate them into technical specifications. IAB Tech Labs recently released global privacy platform, which is encoded to handle State-level signals,” alerts Hahn. “The second component concerns what rules need to exist for companies when they send – and receive – the signals. To do this we created an industry contract called the IAB Multi-State Provider Agreement which creates a set of obligations that applies to all the signatories. They spring into place and in the manner that follows the personal information. “There are a number of requirements for your specific contracts alone, but at a high level, we are creating a common baseline set of privacy terms that could flow through the digital ad chain, and also fill in gaps where you need contracts, but you don’t have them.”
The IAB has also created, as an alternative to state-specific rules-based contracting, a “national consumer” program, notes Hahn, for those that opt to treat all consumers the same regardless of where they reside. The technology implementationThere are three critical support elements to achieving an effective and compliant technology implementation says WireWheel’s Antonipillai.
“This is not a cookie tool,” warns Antonipillai. “Here we are talking about a different kind of exercise. It’s not about not only governing what happens in that browser area where your cookie tool used to live, but on the automated marketing side and what the marketing team does outside of automated marketing (think Adobe, Marketo, Eloqua, Dynamics, HubSpot). The front and back-end have to be communicating. “You have to have the infrastructure to not only understand it and govern it internally, says Antonipillai. “You have to start thinking about how you’re going to signal through your networks.”
“My experience from the privacy side” continues Antonipillai, “is that when you’re talking to a marketing professional, if you just ask the question, ‘Are you selling personal data?’ most marketers are going to say, “No,” (unless it’s part of the business plan). Three critical, more specific, questions need to be asked –
– to gain a more complete understanding of how data is interacting with social media ads.” “Marketing techniques like measuring performance and frequency capping often uses personal data, so when engaging with your marketing team, it is important to move away from simply asking the more charged question, ‘Are you selling data?’ “These activities are what some regulators are starting to call a sale and we need to start putting the right technology and notices in place, so you can do this the way you want. Fortunately, he notes that there are really good technical solutions that allow you to do these things while providing the necessary consumer choice in a touchless way. The historical model in the United States is for large marketers to say ‘from pillow to my agency this is your responsibility. Make sure everything complies with the law and identify to me if something goes wrong. Changes in the rules have become stressors on that approach.
Watch the full webinar on-demandCalifornia Privacy Protection Agency Issues Newly Modified Regulations on CPRAOctober 25, 2022 • readOn Monday, September 17, 2022, the California Privacy Protection Agency issued modified proposed CPRA regulations and accompanying explanations. The modified proposed regulations were influenced in part by the large volume of comments collected during the 45-day written comment period on the first round of proposed regulations, the public hearings held in August and subsequent Agency board meetings in September. The next round of Board meetings are scheduled for October 28 and 29 where they will adopt or modify the 28 items called out in the draft regulations. If and when the requatons will be finalized is unknown and likely to follow the same path CCPA proposed regulations did in 2020. The proposed regulations still do not completely address the new law and further rulemaking should be expected, particularly around employee data. General Overview of the Proposed Regulation ModificationsCollection and Use of Personal InformationThe proposed regulations require businesses processing personal information to be “reasonably necessary and proportionate” as it relates to the collection and processing of that data. The earlier version of regulations saw this through the lens of a “reasonable person”. The revised language adds to this by considering three different sets of criteria:
Dark PatternsModifications regarding dark patterns should be taken in context of previous regulations covering many of the same topics including the same language removed from the newly proposed regulations around the avoidance of dark patterns. The Agency modified regulations removing a number of requirements including:
NoticeThis section had several impactful changes including:
Sensitive Personal InformationThe modified language around the limitations of the use of sensitive personal information clarifies that a business:
Opt-Out Preference SignalsThe modified proposed regulations still require businesses to recognize opt-out signals and as stated above not required display whether they have recognized the signal. Businesses may still provide this functionality as they choose. California Employee DSAR Requests: What You Need to KnowOctober 13, 2022 • readGoing into effect January 1, 2023, the California Privacy Rights Act (CPRA) covers companies that:The CPRA introduces a number of concepts not enumerated in the CCPA:
Importantly, the CPRA has expanded consumer rights including correction, opt-out of automated decision-making, access to information about automated decision-making, and restricting the use of sensitive personal information. The big topic is that under CPRA is the expiry of the exemption for employee, HR, and business-to-business data. If you have employees or use contractors in California this will be important for you to know and understand. To discuss the challenges with employee DSAR fulfillment and what to do to get prepared WireWheel’s CPO Rick Buck, and VP of privacy Sheridan Clemens delivered the presentation “California Employee DSAR Requests: What you need to know.” Which employee and B2B data are covered under CPRA?Beginning January 1, 2023, data rights will encompass consumers, employees (inclusive of job applicants) and B2B data which includes subcontractors and independent contractors– their owners, directors, and officers – in the context of employment or job applications.
What used to apply only to the consumer, now includes your workforce. One issue that requires more clarity is the treatment of a California business’ remote workers located outside of California. A reasonable assumption is that the CPRA applies. “The CPRA applies to anybody that is doing business in California,” opines Buck. “You are a workforce member, you have a B2B relationship…that you are an employee based in California. But I don’t know if it precedent has been formally set.” [1] WireWheel’s Clemens notes that the employee does need to be a California resident (the CPRA is written for California residents), so if the remote worker is not a California resident CPRA would not apply. Conversely, if an employee works in California, but the company headquarters is in a different state, the CPRA does apply if the business is a covered entity. That said, “many companies are weighing whether they will offer it to all of their employees as a way to keep the playing field level and avoid any issues.” Some rights might not be relevantSome of the rights in CPRA may not apply in an employment context, notes Buck. “The right to opt out of sale/sharing in particular, might not be applicable as employers typically don’t sell employee data. They don’t track employees for targeted advertising. Furthermore, “the right to limit the use of some of sensitive personal information likely also doesn’t apply in this context. Sensitive PI that’s collected is typically only used for human resources purposes such as either work related, payroll, or potentially health related information.”
Challenges Fulfilling employee v consumer DSARs
Managing employee DSARs will require new processes and workflows, and this work, if not already begun, should start now. It’s not an easy uplift. In the context of employee data, information outside the scope of CPRA may be exposed. “There’s a lot of data collected about employees, and you’re sorting through things like email and word documents that may contain another employee’s data, or protected information like trade secrets and other confidential or proprietary information,” advises Clemens. Redactions may be required. In short, more scrutiny will be required, and this can take a lot of manpower. We expect that the California privacy authority is going to recognize the need for balance. Perhaps some concessions that make it reasonable for business to comply without infringing the rights of the individuals. “I don’t think anything is set in stone here,” avers Clemens. “Be prepared to make some judgment calls.” Conflict with California employment law is another big unknown. Will it supersede the California employment laws, or will California employment laws take precedence in the employee context? What companies need to start doing today
There is a lot to consider given the sensitivity of employee data.
Many companies are going to choose to have HR manage these requests. There’s quite a bit of sensitive data that will be exposed and it makes sense to have an HR professional involved in shepherding the process forward. That said, if your HR team is going to be involved in processing DSAR requests, they absolutely need to receive specialized training. However, you choose to handle employee DSARs, you should have discussions with your legal team, privacy team, and HR team. Importantly, if you don’t have one, create an employee data classification policy and the governance roles around how that data is handled. WireWheel has been a trusted partner in advancing data privacy capabilities with a full service offering to support these efforts. We have employee subject rights fulfillment as part of our DSAR package and routinely help businesses implement data inventory, mapping, and governance, managing privacy policies, PIAs, and high-risk processing impact assessments. Watch the full webinar on-demand[1] WireWheel is not a law firm and does not provide legal advices. Any information or materials that WireWheel provides, including but not limited to presentations, documentation, forms, and assessments, are neither legal advice nor guaranteed to be accurate, complete or up to date. What personal data is under GDPR?For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data. Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible.
What is not personal data under GDPR?Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data.
What are some examples of personal data?Personal data may, for example, include information on name, address, e-mail address, personal identification number, registration number, photo, fingerprints, diagnostics, biological material, when it is possible to identify a person from the data or in combination with other data.
What are the 3 categories of personal data?Types of personal data. Sensitive personal data. The following information is sensitive personal data: ... . General personal data. ... . Details of criminal offences. ... . Information about national identification numbers (CPR nos.). |