Personal data
What is personal data?
In a digital setting, personal data is information that can be used to describe attributes of—or even identify—an individual. This data includes information that directly identifies an individual, such as name, email address, or social security number. Personal data can also include less obvious types of information, such as IP address, browser cookies, geolocation data, or biometric data that—when combined—can uniquely identify someone.
The term personal data is very common, and can have different meanings, depending on the context. In a digital setting, the term personal data encompasses both the identifiers you use on a daily basis (such as name, phone number, or email address) and information about you and what you do (such as education, income, the kind of car you drive, names of friends or family members, or even how often you exercise). This latter category might seem innocuous, but when combined with other facts about you, the resulting profile can be surprisingly specific. For example, the school you graduated from is not itself identifying. But if that school name is combined with the company you work for, and the names of your friends, someone could easily triangulate into identifying you in particular.
Terms similar to personal data
“Personal information” (PI) is equivalent to the term personal data. In fact, both of these general terms are also legal terms adopted in recent legislation addressing an individual’s data privacy. The EU legislation GDPR refers to personal data when setting its privacy rules, while the CCPA (a California privacy law) uses the term personal information to define its scope. While the terms are different, the definitions are roughly the same.
“Personally identifiable information” (PII) sounds similar to these other two terms, but PII is usually used to describe just the more obviously identifying information, like name, social security number, or address. Thus PII is a subset of personal data and PI.
Who has my personal data? How do they get it?
Your personal data can be found on databases maintained by organizations you do business with. These types of organizations may be commerce, financial, government, health sector, social media, or other. It’s often, but not always, the result of Internet activity. From these databases, your data can be moved to the systems of data brokers—businesses that collect data from multiple sources, then correlate and analyze the data to build profiles of individuals. The data brokers then sell their results to yet other organizations.
Personal data is collected when you volunteer information, such as when you enter your name or email into an online form. It can also include info about things you purchased online, content you downloaded, or what social media accounts you visited. Less obvious data collection involves items like the IP address of your computer, your geolocation history, browsing history and cookies, and even details about your device and user interface (this is called fingerprinting).
Personal data can also be collected without your online involvement. Lots of data is posted as part of public information and gets swept up into data brokers’ databases. If your name is included in the results of the local marathon or on public property tax rolls, then data brokers (who collect this information) know you’re a runner and own property. Even non-public data (like some voter registration information) can make its way to these databases as a result of hackers accessing secured data.
What is personal data used for?
In order to deliver their services, an organization may need to collect and reference your personal data. For instance, your healthcare provider has collected personal data about you, and will reference it during a telehealth call. Most laws and regulations would consider this use of personal data to be legitimate, and most individuals would generally expect and accept this practice.
However, use of personal data isn’t always restricted to these legitimate scenarios. Often, personal data is shared with other organizations, or sold for marketing purposes, and often this happens without the individual’s consent or knowledge. Personal data can also be referenced in background checks, and can be stolen and sold for illegal uses.
Although not all organizations are bound by regulations limiting what they’re allowed to do with your personal data, many are required to disclose what they might do with it. This declaration is made in a document called a privacy policy, and is usually provided as a link on the company’s website. A privacy policy can be difficult to read, and sometimes even difficult to find. But it’s the best source for information about what an organization intends to do with the personal data they collect.
Personal data, privacy, and security
The biggest threat to the security of your personal data is a data breach. When your data ends up in unauthorized hands, it can be used to target you for social engineering scams and theft. A phishing email is much more convincing when the attacker can use details about you and your online activity.
Unnecessary collection and sharing of personal data is also invasive to your privacy. When data brokers collect your personal data to build a detailed profile of you, and then a business uses that profile to show you precisely targeted ads, it can feel unsettling and intrusive.
There are regulations that address the collection and use of personal data—well-known examples are GDPR, HIPAA, and CCPA. In addition to limiting what data can be collected, for what purposes, and how it can be shared, these regulations also provide individuals with rights regarding data deletion and opting out of data collection. These laws also require notifying individuals of data breaches. Unfortunately, since only some people live where these regulations apply, not everyone is protected by them.
What can I do to protect my personal data?
There’s not much you as an individual can do to protect your personal data or influence how it’s used, once it’s in someone else’s database. However, you can exercise care about where and when to supply your personal data, so it’s less exposed to the possibility of misuse:
- Take a moment to consider the possible outcome before providing personal data to a website or app that’s likely collecting your data.
- Remember that any content you post on social media can be collected and combined with other personal data to enhance a profile built by data brokers.
- Practice good online habits like rejecting cookies, using browser settings to minimize trackers, and using a VPN to mask your true IP address.
- Don’t use a third-party login to access a website. When you use your Google or Facebook credentials to log into something that isn’t Google or Facebook, you’re giving these Big Tech companies even more information about you.
- Only allow phone apps to track your location when completely necessary. Actively manage what data is tracked and shared by apps like health monitors and home device controllers.
- If you live in a place that does fall under the jurisdiction of GDPR, CCPA, or similar privacy regulations, you can (and should) request that a website owner delete your data from their records.
Using a browser with strong privacy and security protections, such as the Brave browser, will also limit collection of your personal data. Brave has a built-in VPN, and blocks ads and trackers by default, as well as third-party cookies and a variety of fingerprinting techniques. This blocking impedes a tracker’s ability to collect your personal data as you browse different sites.
