October 7, 2021 • read ‘Personal Data’ has different legal definitions in the GDPR, CCPA in California, CDPA in Virginia, LGPD in Brazil and other regulations. Although personal data is sometimes used interchangeably with PII or personally
identifiable information, “personal data” in the GDPR refers to a more specific and strict definition with specific examples and therefore is different [broader] than the PII. Unfortunately for organizations, there is currently no global standard legal definition of personal data. While all regulations will follow a common approach, some frameworks are very specific and provide actual examples of personal data, while others are more vague and subject to interpretation. If your
organization operates in multiple jurisdictions, you will first need to understand the definitions under each regulation and which regulation[s] apply to the data you collect, use and store. This will allow you to answer questions such as: Below,
we will review the current definitions of personal data under key global data privacy and protection regulations. The CCPA established eleven categories of personal information and provided examples to illustrate most of these categories: The CCPA does not consider publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records as personal information. In addition, CCPA does
not consider personal data the data that has been pseudonymized and de-identified or aggregated and de-identified and because it cannot be reasonably linked to an individual. One of the key differences between the CCPA and GDPR is that GDPR is exclusive to the individual while the CCPA also includes information not only specific to an individual but also to a household. To read more about the official definition of personal data under the CCPA, click here to access the official text [Section 1798.140.[o]] The CPRA follows the definitions of “personal data” adopted in CCPA. However, the CPRA introduces specific categories of “sensitive data” defined as “personal information that
reveals: You can learn more about the new sensitive data categories under CPRA by clicking here [on page 23, 1798.140.[ae]]. Under the
CDPA, the definition of “personal data” means “any information that is linked or reasonably linkable to an identified or identifiable natural person. ‘Personal data’ does not include “de-identified data or publicly available information” Unlike the CCPA, the CDPA does not provide examples of categories of personal information. Like CCPA, the definition in CDPA excludes any de-identified data and publicly available information. Publicly available information is defined as “information
that is from federal, state, or local government records”. In addition, the CDPA adds to its definition of publicly available “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.” Similar to the CPRA, the CDPA introduces the
definition of “sensitive data” which includes: You can access the definitions of personal and sensitive data under the CDPA by clicking here [59.1-571- Definitions]. The definition of ‘Personal Data’ under the CPA is closely related to that of Virginia’s CDPA and states that “personal data means: As used in this subsection [17][b], “publicly available information” means information that is lawfully made available from federal,
state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.” In addition, the Colorado CPA does not include data “maintained for employment records purposes.”. Similar to the CDPA and CPRA, the CPA defines sensitive data to “mean [a] personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or
sexual orientation, or citizenship or citizenship status, [b] genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or [c] personal data from a known child.” To read more about the definitions of persona and sensitive data, please refer to the official text by clicking here [on page 8,
6-1-1303.[17] and on page 10, 6-1-1303.[24]]. Under the GDPR, “Personal Data means any information relating to an identified or identifiable natural person [‘data subject’]; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person.” In addition, the European Commission clarified the above on its website via the Q&A section by mentioning that: Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly
anonymised, the anonymisation must be irreversible. The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria [for example alphabetical order]. It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to
the protection requirements set out in the GDPR.Introduction
Personal Data Under CCPA
Personal Data under CPRA
Personal Data Under Virginia CDPA
Personal Data Under
Colorado CPA
Personal Data Under GDPR
“Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which
collected together can lead to the identification of a particular person, also constitute personal data.
The website also lists examples of personal data under GDPR. These examples include:
- a name and surname
- a home address
- an email address such as
- an identification card number
- location data [for example the location data function on a mobile phone]
- an Internet Protocol [IP] address
- a cookie ID
- the advertising identifier of your phone
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
As importantly, it also lists examples of what is not considered personal data. These examples are:
- a company registration number
- an email address such as
- anonymised data
The GDPR also makes a clear distinction between personal data and sensitive data via the “Special Categories”. The Special Category include:
- Race and ethnic origin
- Religious or philosophical beliefs
- Political opinions
- Trade union memberships
- Biometric data used to identify an individual
- Genetic data
- Health data
- Data related to sexual preferences, sex life, and/or sexual orientation
The processing of special category data is prohibited unless:
- “Explicit consent” has been obtained from the data subject, or,
- Processing is necessary in order to carry out obligations and exercise specific rights of the data controller for reasons related to employment, social security, and social protection, or,
- Processing is necessary to protect the vital interests of data subjects where individuals are physically or legally incapable of giving consent, or,
- Processing is necessary for the establishment, exercise, or defence of legal claims, for reasons of substantial public interest, or reasons of public interest in the area of public health, or,
- For purposes of preventive or occupational medicine, or,
- Processing is necessary for archiving purposes in the public interest, scientific, historical research, or statistical purposes, or,
- Processing relates to personal data which are manifestly made public by the data subject, or,
- Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects
To access more information about the data in scope under GDPR, please refer to the official GDPR website [Article 4 – Definitions and Article 9 – Processing of special categories of personal data]
Conclusion
As you can see, the definitions of personal data vary from one privacy regime to the next. Make sure you have a good understanding of these legal definitions before you work on your data inventory and data mapping initiatives. This is the foundational step of any robust privacy program.
To compare the definitions of “Personal Data” and “Sensitive Data” side-by-side for all these regulations and others such as China’s PIPL, Canada’s PIPEDA, or Brazil’s LGPD, please check our Interactive Privacy Table.
Suggested Articles
When companies discovered that the use of a pixel that shares data directly between your website and a social media platform is a sale of data from a regulatory perspective in California, it caught our attention. The increasingly complicated state of privacy compliance understanding and implementation is challenging to say the least. Among the sea of change we have worked
through in the last several years, one very small, but very important part, is the expanding scope of what defines a “sale” of data which is of vital importance to marketing teams. WireWheel CEO Justin Antonipillai was joined by IAB Tech Lab EVP and General Counsel Michael Hahn and Davis+Gilbert LLP Partner Gary Kibel to discuss the ramifications of California Privacy and the Expanding
Scope of What is a “Sale” of Data, and the marketing challenges it portends. If companies make consumer personal information available to third-parties and receive a benefit from the arrangement—such as in the form of ads targeting specific consumers—they are deemed to be “selling” consumer personal information under the law. —California AG – Sephora complaint “Everyone is talking about the
Sephora action. It is an important action, not just on its merits, but also as it is the first publicly announced enforcement action out of California,” Davis+Gilbert’s Kibel. He notes that the complaint, among other concerns [including the use of not legally defined buzzwords like ‘surveillance’], focused on two major
issues: 1. Pixels from a third-party provider are on a publisher’s site: Is that a sale of personal information under the CCPA? Or are you in a service provider relationship? Firstly, opines Kibel, “they were talking about the fact that there could be sensitive data that’s being collected. And If companies make consumer personal information available to third-parties and receive a benefit from the arrangement – such as in the form of ads targeting specific consumers
– they are deemed to be selling consumer personal information under the law.” That said, “if you have a pixel from a third-party provider on your website, and for free, you get great analytics, and in exchange, the provider can use the data generated on the publisher’s site for their own benefit, that may be a sale of personal information.” This then requires providing the consumer the ability to opt-out. If you are deemed to be selling personal information. You
must have a link on the homepage of the website with these six exact words: “Do not sell my personal information.” —Gary Kibel, Davis+Gilbert LLP “There are two avenues here,” Kibel explains: “You can either deem to be selling personal
information to a third-party, or you could be in a service provider relationship with that pixel provider. However, if you want a service provider relationship, there needs to be a written contract with that provider restricting the way that they’re going to use the personal information.” 2. Compliance with global privacy control [GPC] signals that are automatically sent by a user’s browser to a publisher’s site. “As many of us know, there is not a single mention of
opt-out preference signals or global privacy controls in the CCPA law but was introduced in the CCPA regulations.” The CPRA [effective January 1, 2023] directly addresses opt-out preference signals at length in the regulations [in draft form] “and makes very clear that you have to honor global privacy controls and opt-out preference signals. However, the Sephora action made it clear that the California AG said, no, you need to be honoring GPC signals now.” This makes it
really challenging, because the CCPA regulations really don’t tell you anything about how to comply with GPC signals. So, what are businesses supposed to do right now? Perhaps you could look at the CPRA draft regulations to see what it says and use that as guidance. —Gary Kibel, Davis+Gilbert LLP “One of the important things that you need to do under any privacy law is you need to communicate the consumers
privacy elections to the other participants who receive the personal information in a manner that complies with state law,” says IAB’s Hahn. As a function of technology, the IAB is designing the schematic for this communication ‘plumbing’. “The IAB Legal Affairs Council asked, ‘What do we need to communicate to lawfully process a digital advertising transaction?’ and gave these requirements to the engineers in the Tech Lab and their working groups to translate them into technical
specifications. IAB Tech Labs recently released global privacy platform, which is encoded to handle State-level signals,” alerts Hahn. “The second component concerns what rules need to exist for companies when they send – and receive – the signals. To do this we created an industry contract called the IAB Multi-State Provider Agreement which creates a set of obligations that applies to all the signatories.
They spring into place and in the manner that follows the personal information. “There are a number of requirements for your specific contracts alone, but at a high level, we are creating a common baseline set of privacy terms that could flow through the digital ad chain, and also fill in gaps where you need contracts, but you don’t have them.” If you spent the next 100 years trying to write contracts, you will not be able to scale with enough of them given the broad
definition of sale that exists today as the regulators applied in the digital advertising context, which for all practical matters, seems to apply to nearly every disclosure of personal information.The Expanding Scope of “Sale:” California Data Privacy
November 1, 2022 • readThe Sephora takeaways
Devising GPC signals and third-party contracts
—Michael Hahn, IAB Tech Lab
The IAB has also created, as an alternative to state-specific rules-based contracting, a “national consumer” program, notes Hahn, for those that opt to treat all consumers the same regardless of where they reside.
The technology implementation
There are three critical support elements to achieving an effective and compliant technology implementation says WireWheel’s Antonipillai.
- If you have automated scripts, tags, or pixels that are going directly to a third-party platform, you have to be able to know that it’s not going to go automatically. You have to have a way to control them.
- In the context of marketing, you need a place that a human being can come and easily opt-out. You have to make it super simple and easy to find. It has to interact with the automated marketing, it can’t just be the stuff that goes on in your back-end systems. And it has to happen automatically.
- You have to strongly consider – some view it mandatory – setting up the infrastructure to accommodate choice in a touchless way. Including via the global privacy control concept.
“This is not a cookie tool,” warns Antonipillai. “Here we are talking about a different kind of exercise. It’s not about not only governing what happens in that browser area where your cookie tool used to live, but on the automated marketing side and what the marketing team does outside of automated marketing [think Adobe, Marketo, Eloqua, Dynamics, HubSpot]. The front and back-end have to be communicating.
“You have to have the infrastructure to not only understand it and govern it internally, says Antonipillai. “You have to start thinking about how you’re going to signal through your networks.”
The marketing community is going to have to own this issue. If you go to almost any other jurisdiction, certainly in Europe, when a marketing team is about to run a marketing campaign, privacy and GDPR compliance is typically number one or two on the list. It’s just part of the culture.
—Justin Antonipillai, WireWheel
“My experience from the privacy side” continues Antonipillai, “is that when you’re talking to a marketing professional, if you just ask the question, ‘Are you selling personal data?’ most marketers are going to say, “No,” [unless it’s part of the business plan].
Three critical, more specific, questions need to be asked –
- Are we using any scripts, tags, or pixels, to improve our social media ads?
- Are we using any technologies or platforms to measure the performance of our ads?
- Are we using any technology to cap the frequency that people see our ads?
– to gain a more complete understanding of how data is interacting with social media ads.”
“Marketing techniques like measuring performance and frequency capping often uses personal data, so when engaging with your marketing team, it is important to move away from simply asking the more charged question, ‘Are you selling data?’
“These activities are what some regulators are starting to call a sale and we need to start putting the right technology and notices in place, so you can do this the way you want.
Fortunately, he notes that there are really good technical solutions that allow you to do these things while providing the necessary consumer choice in a touchless way.
The historical model in the United States is for large marketers to say ‘from pillow to my agency this is your responsibility. Make sure everything complies with the law and identify to me if something goes wrong. Changes in the rules have become stressors on that approach.
Requirements around auditing service providers needed in your contracts is one indicator of that. Suddenly there could be sales of personal information that marketers are engaging in or causing others to engage in.
Marketers need to get their arms around this.
—Michael Hahn, IAB Tech Lab
Watch the full webinar on-demand
California Privacy Protection Agency Issues Newly Modified Regulations on CPRA
October 25, 2022 • readOn Monday, September 17, 2022, the California Privacy Protection Agency issued modified proposed CPRA regulations and accompanying explanations. The modified proposed regulations were influenced in part by the large volume of comments collected during the 45-day written comment period on the first round of proposed regulations, the public hearings held in August and subsequent Agency board meetings in September. The next round of Board meetings are scheduled for October 28 and 29 where they will adopt or modify the 28 items called out in the draft regulations. If and when the requatons will be finalized is unknown and likely to follow the same path CCPA proposed regulations did in 2020. The proposed regulations still do not completely address the new law and further rulemaking should be expected, particularly around employee data.
General Overview of the Proposed Regulation Modifications
Collection and Use of Personal Information
The proposed regulations require businesses processing personal information to be “reasonably necessary and proportionate” as it relates to the collection and processing of that data. The earlier version of regulations saw this through the lens of a “reasonable person”. The revised language adds to this by considering three different sets of criteria:
- Can the businesses determine proportionality and necessity?
- What is the relationship between the consumer and the business?
- What type, nature, and amount of personal information does the business seek to collect or process?
- What is the source of the personal information and the business’s method for collecting or processing it?
- What is the specificity, explicitness, and prominence of disclosures to the consumer about the purpose for collecting or processing the consumer’s personal information, such as in the Notice at Collection and in the marketing materials to the consumer about the business’s good or service?
- To what degree is the involvement of service providers, contractors, third parties, or other entities in the collection or processing of personal information apparent to the consumer?
- Are disclosed purposes compatible with the context in which personal information was collected?
- At the time of collection of the personal information, what are the consumer’s reasonable expectations concerning the purpose for which the personal information will be collected or processed?
- What are the other disclosed purposes for which the business seeks to further collect or process the consumer’s personal information?
- Does a strong link exist between the consumer’s expectations that the personal information will be used to provide them with a requested service at the time of collection, and the use of the information to repair errors that impair the intended functionality of that requested service?
- Factors for determining
when processing is reasonably necessary and proportionate to the purpose for which it was collected
- What is the minimum personal information that is necessary to achieve the purpose identified?
- What are the possible negative impacts on consumers posed by the business’s collection or processing of the personal information?
- What are the additional safeguards for the personal information to specifically address the possible negative impacts on consumers considered by the business?
Dark Patterns
Modifications regarding dark patterns should be taken in context of previous regulations covering many of the same topics including the same language removed from the newly proposed regulations around the avoidance of dark patterns. The Agency modified regulations removing a number of requirements including:
- A choice where the ‘yes’ button is more prominent [i.e., larger in size or in a more eye-catching color] than the ‘no’ button is not symmetrical” and therefore improper.
- References to businesses not using “manipulative language” or “wording that guilts or shames the consumer into making a particular choice.”
Notice
This section had several impactful changes including:
- Notice at collection no longer needs to identify information regarding third parties that collect personal information through the business.
- Modifying definitional relationships with analytics providers as third parties. The explanation now reads in some instances an analytics business can be a service provider and not a third party. As exemplified in the Sephora case this will be a particularly important change if accepted.
- Deleting subsections dealing with the collection of employment-related information. The explanation states that these subsections were deleted to “conform the regulations to the law following the expiration of the” employee data exemption.
Sensitive Personal Information
The modified language around the limitations of the use of sensitive personal information clarifies that a business:
- Does not need to provide a Notice of Right to Limit or the “Limit the Use of My Sensitive Personal Information” link if the sensitive personal information does not infer characteristics about a consumer.
- May display through a toggle or radio button [but not mandatory] that confirms requests to limit sensitive personal information, as well as opt-out preference signals, and opt-out requests were processed by the business.
- Can use sensitive personal information to prevent and investigate certain types of security incidents.
Opt-Out Preference Signals
The modified proposed regulations still require businesses to recognize opt-out signals and as stated above not required display whether they have recognized the signal. Businesses may still provide this functionality as they choose.
California Employee DSAR Requests: What You Need to Know
October 13, 2022 • readGoing into effect January 1, 2023, the California Privacy Rights Act [CPRA] covers companies that:
The CPRA introduces a number of concepts not enumerated in the CCPA:
- Data collection and use should be “reasonable and proportionate.”
- Consent for the collection and use of that data must be obtained
- Enhanced notices on your privacy pages and at points of collection must be provided
- Assessments for risky behavior and for sharing data with third parties and service providers are required
- Contracts with third parties and service providers must obligate them to upholding CPRA when processing data
Importantly, the CPRA has expanded consumer rights including correction, opt-out of automated decision-making, access to information about automated decision-making, and restricting the use of sensitive personal information.
The big topic is that under CPRA is the expiry of the exemption for employee, HR, and business-to-business data. If you have employees or use contractors in California this will be important for you to know and understand.
To discuss the challenges with employee DSAR fulfillment and what to do to get prepared WireWheel’s CPO Rick Buck, and VP of privacy Sheridan Clemens delivered the presentation “California Employee DSAR Requests: What you need to know.”
Which employee and B2B data are covered under CPRA?
Beginning January 1, 2023, data rights will encompass consumers, employees [inclusive of job applicants] and B2B data which includes subcontractors and independent contractors– their owners, directors, and officers – in the context of employment or job applications.
What’s interesting is that prior to CCPA and CPRA, the State of California already had a series of employment rights for HR Data – e.g., payroll records, employment agreements, and personnel files – providing the right to access, correct, and to not to be discriminated against.
CPRA is calling out specific rights now that employees have in California. They too now will have the right to opt out of automated decision making; be informed about the data being used to make automated decisions; and the right to restrict the use of sensitive personal information.
—Rick Buck
What used to apply only to the consumer, now includes your workforce.
One issue that requires more clarity is the treatment of a California business’ remote workers located outside of California. A reasonable assumption is that the CPRA applies. “The CPRA applies to anybody that is doing business in California,” opines Buck. “You are a workforce member, you have a B2B relationship…that you are an employee based in California. But I don’t know if it precedent has been formally set.” [1]
WireWheel’s Clemens notes that the employee does need to be a California resident [the CPRA is written for California residents], so if the remote worker is not a California resident CPRA would not apply. Conversely, if an employee works in California, but the company headquarters is in a different state, the CPRA does apply if the business is a covered entity.
That said, “many companies are weighing whether they will offer it to all of their employees as a way to keep the playing field level and avoid any issues.”
Some rights might not be relevant
Some of the rights in CPRA may not apply in an employment context, notes Buck.
“The right to opt out of sale/sharing in particular, might not be applicable as employers typically don’t sell employee data. They don’t track employees for targeted advertising.
Furthermore, “the right to limit the use of some of sensitive personal information likely also doesn’t apply in this context. Sensitive PI that’s collected is typically only used for human resources purposes such as either work related, payroll, or potentially health related information.”
There’s going to need to be some clarity about whether or not this data is in scope. The answer to that question is going to influence the way in which you as employers are going to respond to your access request.
—Rick Buck
Challenges Fulfilling employee v consumer DSARs
The first big challenge is that employee data tends to live in different places than consumer data. Companies are going to have to be working with different departments and systems for DSAR requests. And this is going to require a lot of training.
—Sheridan Clemens
Managing employee DSARs will require new processes and workflows, and this work, if not already begun, should start now. It’s not an easy uplift.
In the context of employee data, information outside the scope of CPRA may be exposed. “There’s a lot of data collected about employees, and you’re sorting through things like email and word documents that may contain another employee’s data, or protected information like trade secrets and other confidential or proprietary information,” advises Clemens. Redactions may be required.
In short, more scrutiny will be required, and this can take a lot of manpower.
We expect that the California privacy authority is going to recognize the need for balance. Perhaps some concessions that make it reasonable for business to comply without infringing the rights of the individuals. “I don’t think anything is set in stone here,” avers Clemens. “Be prepared to make some judgment calls.”
Conflict with California employment law is another big unknown. Will it supersede the California employment laws, or will California employment laws take precedence in the employee context?
What companies need to start doing today
- You have to inventory your data
While you may have done this for your consumer, when it comes to employees, there’s probably new systems and business processes in scope. You have to talk to HR and education is going to be vital as is understanding exactly what data is collected, where it is being stored, and how it is being used. - Understand if you sell/share or process sensitive PI
Make sure you’re really clear about selling or sharing personal information. That you know where that data is going, and that you’re giving your employees the right to opt out where applicable.While there is data you need to fulfill an obligation, if you are using it for any other purposes [wellness or other incentive programs], you’ll need to provide your employees the opportunity to opt out. - Update third-party contracts
CPRA requires data processing agreements for all service providers and contractors processing workforce personal information so be sure all service providers are prepared to support your DSAR requirements. - Review and update privacy policies
Privacy updates are needed to comprehend personal information in the employment and B2B context: to delineate categories of personal information and sensitive PI collected and processed; purposes for the processing; the retention period by category of PI; a description of the rights available; and instructions on how to exercise those rights. - Update your DSAR portal
Additional functionality and workflows are needed to process workforce subject rights. Considerations include securing the data, granting the right groups access to it, and generally, having DSAR workflow for employees built into the portal. Both the DSAR portal and your website require updating. - Workflows for employee and B2B data
Additional functionality and workflows will need to be created to process workforce DSARs. As alluded to above, this will likely be the most significant undertaking in facilitating DSAR fulfillment.
There is a lot to consider given the sensitivity of employee data.
You may not want to share your employee data with your privacy team. HR may want to take the lead. In either case, you definitely want to have legal look it over before you send out your DSAR response.
With employee data, there’s a much higher concern that this information could be prelude to a complaint or lawsuit which will entail challenges around possible legal holds and other factors.
—Sheridan Clemens, WireWheel
Many companies are going to choose to have HR manage these requests. There’s quite a bit of sensitive data that will be exposed and it makes sense to have an HR professional involved in shepherding the process forward. That said, if your HR team is going to be involved in processing DSAR requests, they absolutely need to receive specialized training.
However, you choose to handle employee DSARs, you should have discussions with your legal team, privacy team, and HR team. Importantly, if you don’t have one, create an employee data classification policy and the governance roles around how that data is handled.
WireWheel has been a trusted partner in advancing data privacy capabilities with a full service offering to support these efforts. We have employee subject rights fulfillment as part of our DSAR package and routinely help businesses implement data inventory, mapping, and governance, managing privacy policies, PIAs, and high-risk processing impact assessments.
Watch the full webinar on-demand
[1] WireWheel is not a law firm and does not provide legal advices. Any information or materials that WireWheel provides, including but not limited to presentations, documentation, forms, and assessments, are neither legal advice nor guaranteed to be accurate, complete or up to date.