Personal Data Categories

Below are examples of the types (categories) of Personal Data / Personal Information and the data elements which help identify, differentiate, and describe an individual wherever that data lives.

• What is ‘identifiable’ is subjective and context-specific. In today’s digital economy an individual can be identified as a real world person, an online account / persona, or even a unique browser or device.
• Entities having the ability to single out one data subject from another, including through online identifiers and other technical parameters, forms the standard of “identifiability” under the EU GDPR, the CCPA and other modern privacy frameworks.
• There is no requirement for a data subject to be immediately identifiable or identifiable by face or name for the information in question to be deemed “personal”.
• This is of particular concern to lawmakers and regulators regarding online platforms and services where an online user’s "digital footprint" can allow devices - and subsequently the specific user - to be clearly individualized.

Categories of Data Subjects

• Contractors
• Vendors
• Business Customers (clients)
• Individual Customers (consumers)
• Prospective Customer
• Employees and Representatives
• Job Applicants
• Website Visitors
• App Users
• Marketing Subscribers
• Ad Audience / Contextual Cohort
• Patients
• Children
• Household
• Research Subjects

Mundane Personal Data

Personal and Real World Information

• Full Name
• Email Address
• Phone Number (landline)
• Phone Number (mobile)
• Customer Number
• Physical Address (partial)
• Physical Address (full)
• Professional License Number
• Employee Identification Number
• Social Security Number (partial)
• Employment History / Resume

Demographic Information

• Age
• Citizenship Status
• Country Code
• Education History
• Employment History
• Employment Status
• Gender
• Languages
• Mother’s Maiden Name
• Professional Licenses
• Birthplace
• Compensation Information
• Date of Birth (DOB)
• Education Information
• Employment Information
• Family Information
• Household Income
• Marital Status
• Veteran Status

Coarse Location

• IP Address (geolocation)
• ZIP / ZIP+4
• Beacons (foot / store aisle traffic)
• Radio Tower Data (unless closely triangulated)

Mobile Device Identifiers and Data

• Device Identifier / UDID / Serial Number
• Advertising ID (i.e. AD-ID / IDFA)
• RFID Tag
• IMEI / MEID
• MAC ID
• Device IP Address

Online Identifiers, Behaviors, History, and Other Digital Data

• Cookie ID
• Pixels / Tags
• GUID
• Social Network Username
• Entity Tag (ETag)
• Geolocation (mobile network)
• Online Monitoring
• Purchase History
• App Download History
• Browsing History
• Page Visits
• Impressions (views)
• Conversions (clicks)
• Bid Requests
• Timestamps
• Embedded Scripts
• Machine Learning Libraries
• Purchase Preferences
• Photos / Videos / Messages
• AI Learning Library

Sensitive or Otherwise Specially Regulated Data

Government Issued IDs and Associated Data

• Social Security Number (full)
• Birth Certificate
• Death Certificate
• Certification Number
• Driver’s License Number
• Government Identification Card Number
• Immigration / Naturalization Number
• Personal Tax ID
• Vehicle License Plate Number
• Passport Number
• Vehicle VIN Number
• Cast Ballots / Voting History

Precise Location Information

• GPS Coordinates
• Precise Location Over Time
• Beacons (e.g. Tile)

Biometric Information

• Eye Color
• Fingerprint
• Hair Color
• Photograph / Image
• Voice
• CCTV Footage
• Facial Recognition / Image
• Genetic Information
• Height
• Retina Scan
• Weight

Nonpublic Financial Information

• Account Balance
• Bank Account Number (partial)
• Billing Address (partial)
• Credit / Debit Card Number (partial)
• Credit History
• Routing Number
• Know Your Customer (KYC) Checks
• Bank Account Number (full)
• Billing Address (full)
• Credit / Debit Card Number (full)
• CVV2
• Personal PIN
• Tax Information
• Payment Processing Information (PCI data)

Health and Insurance Information

• Beneficiary Number
• Medical Record Number
• Disability Status
• Physical Health
• Mental Health
• Dependents

Special Category Data and Sensitive Personal Information

• Criminal Background
• Race / Ethnicity
• Sex Life
• Sexual Orientation
• Union Membership
• Political Affiliation or Opinions
• Religion
• Health and Ailment Data
• Biometric Data
• Genetic Data
• Children’s Data

Security-Sensitive Data

• Username / Password
• Security Questions and Answers
• System Access and Use Logs
• Security Logs

Identifying PII

Context matters and is subjective. DataGrail cannot advise whether a particular data element or data set is ‘PII’. Your legal team should always confirm what is true for your organization.

Key Legal Definitions

EU General Data Protection Regulation

Recent and emerging privacy legislation goes beyond the traditional notion of ‘PII’. Notably, the GDPR and CCPA/CPRA encode modern concepts of identifiability, pseudonymity, deidentification, and anonymization into their sweeping definitions of "personal data" and "personal information".

These definitions effectively reconstruct the aging notion of identity to better grapple with new technologies and new ways of doing business online.

• GDPR Article 4(1): “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
  • an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• GDPR Article 9(1): “Processing of [special category] personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited [unless…]”

California Consumer Privacy Protection & Privacy Right Acts

• CCPA §1798.140 (o)(1): “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
  • (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • (F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
  • (G) Geolocation data.
  • (H) Audio, electronic, visual, thermal, olfactory, or similar information
• CPRA §1798.140 (ae): “Sensitive personal information“ means:
  • (1) Personal information that reveals:
    • (A) A consumer’s social security, driver’s license, state identification card, or passport number.
    • (B) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
    • (C) A consumer’s precise geolocation.
    • (D) A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
    • (E) The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.
    • (F) A consumer’s genetic data.
  • (2)
    • (A) The processing of biometric information for the purpose of uniquely identifying a consumer.
    • (B) Personal information collected and analyzed concerning a consumer’s health.
    • (C) Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
    • Sensitive personal information that is “publicly available” pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive personal information or personal information.