Personal information is any information that can be used to identify a named individual. Some types of personal information are relatively innocuous, such as a person's name or social media username, but other categories of personal information are more "sensitive" and require special protection.

If your business collects any information belonging to individuals, then you need to understand the differences between these categories. This is because there are subtle but significant variations in how global privacy laws require you to handle such information.

Below, we explore what is considered personal and sensitive information, and how major global privacy laws influence how you collect and process these categories of information.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is Personal Information?

Personal information is any information, no matter how trivial, which can be used to identify a certain person. This may mean that you can identify the person directly or indirectly.

  • Direct identification: An obvious identifier, such as a person's full name
  • Indirect identification: An identifier which can be used to identify a certain person in conjunction with other information e.g. a first name and a home address

Some obvious examples include:

  • Name
  • Email address
  • ID card number
  • Home address

Less obvious examples are more technical in nature, including:

  • IP addresses
  • Phone location information
  • Cookie information

Global privacy laws do not protect companies or businesses. They only apply to individuals. So, for example:

  • A company's email address is not personal information. It does not identify an individual, and there's no way of identifying an individual from it.
  • Employee email addresses do identify individual employees, so they are personal information.

Most businesses, or websites, collect at least some personal information from their customers or end users. Otherwise, it would not be possible to deliver the services that your audience expects.

Personal information is afforded special protections under global privacy laws. Specifically, you may need to:

  • Disclose if you collect personal information
  • Give users the option to decide how much information they share with you
  • Obtain consent to collecting or using personal information

What is Not Considered to be Personal Information?

Information which is publicly available is typically not considered to be protected personal information. This can be made public either by a local, state or federal government record, or through a person who the information was disclosed to by the data subject (person the information is about) if not restricted by the data subject.

These laws usually only protect information that businesses collect which would not otherwise be available.

When Do Businesses Collect Personal Information?

Businesses collect personal information for various reasons. Here are some examples of when you might collect personal information:

  • Completing transactions
  • Sending marketing emails and newsletters
  • Interacting with customers through online chatbots
  • Improving customer services

There are various ways to collect personal information, including:

  • Cookies: Small "packets" of information which are installed on a user's device. They "remember" the user and help with website functionality.
  • Marketing: You may use cookies or other tracking technologies to gather information about a user's browsing preferences to send them targeted ads. Or, you might encourage users to sign up for newsletters and other marketing materials.
  • Order processing: If you have an ecommerce store, then you collect information from consumers to process orders.
  • Data sharing: You may obtain personal information from other companies. This could be for transactional purposes or because they have sold the information to you.

Consequences of Personal Information Breaches

Any information breach involving personal information is serious. From a business perspective, the most significant ramifications are:

  • Losing customers
  • Financial penalties (for non-compliance with privacy laws)
  • Reputation damage
  • Customer lawsuits

Data breaches expose individuals to harm. Should the information fall into the wrong hands, customers may suffer from consequences such as identity theft.

You may need consent to process, share, or collect personal information. It depends upon which privacy laws apply and whether you can rely on a legitimate business interest for handling information in a certain way.

For example, you might need consent to process personal information for non-essential purposes such as marketing. However, you may be able to process certain essential categories of personal information without consent.

Disclosing Your Processing of Personal Information

Even if you don't always need consent to process personal information, you normally must disclose that you collect, process, or share personal information. You can do this through a Privacy Policy or Privacy Notice.

Here's an example of this type of disclosure in a Privacy Policy:

Talkspace Privacy Policy: Personal data chart with types of data, how data is obtained and how used

The following clause mentions standard personal information and has a section at the end for sensitive personal information:

KPMG Privacy Policy: What personal information we collect clause: Sensitive information section highlighted

What is Sensitive Information?

Sensitive information is a subtype of personal information. Rather than just being able to identify someone, sensitive information can reveal a person's opinions, preferences, and other vulnerable details.

Examples of what most global privacy laws consider "sensitive" rather than simply "personal" information include:

  • Religious affiliations
  • Sexual orientation
  • Biometric information
  • Ethnic origin
  • Trade union memberships
  • Political beliefs or memberships
  • Genetic information
  • Social security number

This information is not always considered sensitive in legal terms. Under some laws, it may only be sensitive if it can be used to clearly identify someone (usually meaning that if it's read alongside other information, such as a person's name).

What makes some information "sensitive," though? It comes down to the level of risk associated with an information breach.

Consequences of Sensitive Information Breaches

Sensitive information breaches are especially harmful because they can expose customers to serious consequences, including financial losses, harassment, discrimination, and fraud.

If such information falls into the wrong hands, a person's entire identity could be stolen. Or someone may be subjected to serious harassment for holding certain opinions, or having a certain sexual orientation.

Given the level of risks involved, companies who process sensitive personal information must take additional steps to:

  • Disclose that they collect sensitive information
  • Protect the information
  • Dispose of the information safely when no longer required

Do all businesses collect sensitive personal information? No. However, if you collect information such as a person's medical information, sensitive financial information, or their gender identity, then you are collecting sensitive information.

It depends on the privacy law. However, global privacy laws typically afford sensitive information enhanced protections given its vulnerability.

With that in mind, you are more likely to need express or active consent to process sensitive information than if you are simply handling less sensitive personal information.

Disclosing Your Processing of Sensitive Information

As with personal information, you should disclose that you collect, process, share, and use sensitive information, and the best place to do this is within a Privacy Policy.

Depending on which privacy laws apply, you may be required to have a specific clause regarding sensitive information processing, and you may be required to give consumers more choice over whether they share this information.

Here's an example of this type of disclosure in a Privacy Policy:

Clarivate CA Privacy Policy: Sharing your sensitive personal information clause

Here's a disclosure that lets users know that their sensitive information will not be collected without express consent:

Baringa Privacy Policy: We do not collect sensitive data without express consent clause

Here's a clause that uses a list format to note specific types of sensitive information:

NDSS Privacy Policy: Sensitive information collected clause

Privacy laws around the world regulate the collection, processing, sharing, and storing of personal information and sensitive information. Let's be clear on what these terms mean before moving forward.

  • Collection: Broadly, "collection" means the act of capturing the information. This could be, for example, when someone signs up for a newsletter.
  • Processing: To process the information means to handle or perform any operation on the information, such as recording, sharing, or disclosing it.
  • Sharing: "Sharing" typically means sharing the information with a third party, such as advertisers, information processors, or payment processors.
  • Storing: To store the information simply means to save it, whether this is in a cloud drive, within archived files, or by some other means.

Let's now consider how some of these privacy laws define personal and sensitive information, and explain how their disclosure and consent requirements vary depending upon the categories of information in question.

CCPA/CPRA

The California Consumer Privacy Act and its CA Privacy Rights Act amendments (CCPA/CPRA) define personal information very broadly, as information that is "reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

If you collect such information, you must have a Privacy Policy which explains:

  • If you collect personal information and for what purpose
  • Whether you will sell or share the information
  • How long you will retain the information

You must have a clause, or separate notice, outlining a California consumer's specific privacy rights, including the right to opt-out of the sharing or selling of personal information. The most common way to do this is by having a "Do Not Sell My Personal Information" page that you link within your website footer and Privacy Policy, at a minimum.

Here's an example of this from American Eagle:

American Eagle CCPA Notice

Under the CCPA/CPRA, you must specifically disclose if you collect sensitive information and allow Californians to restrict sensitive information processing to essential purposes only. This is the concept of information minimization - collect only what you need for a specific purpose.

Should you wish to use sensitive information for any other purpose not already consented to by the consumer, then you need express consent before doing so.

To comply, you need a specific "Limit the Use of My Sensitive Personal Data" notice.

Here is an example from BRP:

BRP Limit Use of Sensitive Personal Information notice

In short, the CCPA/CPRA clearly distinguishes between personal and sensitive information. You must take extra steps to disclose collection of sensitive information and give your customers more choices regarding how such information is used.

PIPEDA

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), personal information is information about an identifiable person.

You may not need express consent to collect personal information. Implied consent - such as an individual using the service - is typically enough. But you should disclose that you collect it.

Here is an example from LMNT of how you might word such a disclosure in a Privacy Policy:

LMNT Privacy Policy: Definition of personal information

PIPEDA distinguishes sensitive information from personal information. Businesses must protect sensitive information proportionately based on the degree of risk involved in an information breach. And you are generally expected to get express consent to collecting sensitive information.

Unfortunately, though, it does not actually define sensitive information. What it does suggest, though, is that any information could be sensitive in the right context.

Given the lack of clarity, you should obtain express consent, via a mechanism such as an "I Agree" checkbox, before processing any information you believe could be sensitive.

For example, before you open an American Eagle account, you must acknowledge reading the Privacy Policy by checking a box:

American Eagle agree checkbox

GDPR

The EU's General Data Protection Regulation (GDPR) is, in simple terms, the template for many other global privacy laws. As such, it has the "landmark" definitions for personal information and sensitive information.

Under Article 4 of the GDPR, personal information (data) is defined as any information which relates to a "information subject", meaning an individual, and which can be used to identify them:

GDPR Article 4 - Personal data definition

The GDPR clearly distinguishes between ordinary personal information, and sensitive information.

Under the GDPR, sensitive information is considered to be "special category" information. Article 9 expressly prohibits businesses from processing sensitive or special category information unless they have a legitimate, lawful basis for doing so.

These lawful bases include:

  • Express consent
  • Pursuit of other legal obligations
  • Protection of life
  • Publicly available information

Special category information includes political information, trade union membership, health and biometric information, and religious or philosophical beliefs. It does not specifically include financial information or information belonging to minors, as may be considered sensitive by other privacy laws.

As per the GDPR rules, you should not process sensitive information unless you have express consent or it is entirely necessary. Even if you have consent, you are still expected, where possible, to limit sensitive information processing.

  • You may need consent to process personal information under the GDPR unless you have a legitimate business interest for processing without consent e.g. it's necessary to provide the goods or services to the consumer.
  • You should get express and informed consent to process special categories of information, and disclose that you collect sensitive information specifically in your Privacy Policy.

The GDPR places additional security obligations on businesses to safeguard sensitive information. As per Article 32, you should perform a risk assessment to determine how best to protect sensitive information from an information breach.

You should also outline the steps you take to safeguard sensitive information in your Privacy Policy.

Flower and White, for example, explains the steps it takes to protect all information and the extra steps (encryption) used to safeguard sensitive information:

Flower and White Privacy Policy: Security clause

APA

Australia's Privacy Act (APA) defines personal information as information which is attributable to a living individual.

The APA defines sensitive information specifically to include, for example, health, biometric, and political association information. You should obtain express consent to process sensitive information as it is regarded as more vulnerable.

"Consent" under the APA should be informed, specific, recent, and provided by someone with legal capacity to so consent:

APA Consent section

As in keeping with other privacy laws, the APA clearly distinguishes between personal and more vulnerable sensitive information, and imposes additional obligations on businesses handling sensitive information.

VCDPA

Virginia's Consumer Data Protection Act (VCDPA) defines personal information and sensitive information separately. Personal information is information which we can reasonably link to an identified person, but it does not include publicly available information:

VCDPA Definition of Personal Data

Sensitive information includes information belonging to minors and information such as citizenship or immigration status:

VCDPA Definition of Sensitive Data

You may not always need consent to process personal information. But to process sensitive information under the VCDPA, you need express and clear consent to information processing. Consent should be unambiguous and informed.

Summary

Personal information is any information which may identify a specific person, either directly, or indirectly.

Sensitive information is a special category of personal information which is inherently more vulnerable to misuse. If breached, it could result in serious financial harm, identity theft, or fraud. Therefore, global privacy laws typically give it more significant protections.

You may not need express consent to process personal information. You usually need express consent to collect or process sensitive information.

You should always disclose if you collect or process personal information. You may need a separate disclosure for sensitive information.

You should safeguard any personal information, taking reasonable steps to do so. You must take additional precautions to protect sensitive information.

The best way to comply with such requirements is to have a Privacy Policy outlining your information processing practices, informing customers of their privacy rights, and having an express consent or "opt in" mechanism for sharing personal information - particularly if it's sensitive.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy