Under state laws, rules, and regulations by General Data Protection Regulation (GDPR), California Online Privacy Protection Act (CalOPPA), and California Consumer Protection Act (CCPA),
the definition of “Personal Data”, or sometimes referred to as “Personally Identifiable Information (PII)” or “Personal Information (PI)”, is as follows:
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier[…]”
This encompassing definition was intentionally drafted with a broad meaning. On a close examination, it is important to note the following interpretation of some of the critical words:
“any”: the word “any” implies “any and all”.
“information”: the word “information” implies raw “data” including any “Personal Data” stored anywhere and in any format which can be true or false, sensitive or banal, and private or public. This means that your privacy doesn’t go out the window if you “Personal Data” is made public, intentionally, accidently, or otherwise.
“relating to”: the information must be linked to a person to be considered “Personal Data”. However, the information could be either linked directly or indirectly. For example, the value of a house is not personal data until it can be related, linked, or traced to a person, at which time, it will become “Personal Data” of that person.
“identified or identifiable”: the information does no need to explicitly identify a person to be considered “Personal Data”, but it could implicitly, probably, or even possibly identify a person through a reasonable reference or inference. For instance, if with certain data a person can be physically recognized (identified) from a group, or theoretically singled out (identifiable) from a group, then that data shall be considered as “Personal Data”. For example, a date is just data, but a birth date of a person is “Personal Data” because combined with other information, that birth date could identify that person. Similarly, a model of a car on its own is just raw data, but a car purchased by a person is “Personal Data” because that car may identify that person, his/her purchasing habits, level of income, social status, residency, etc. Furthermore, any embedded information generated by the usage of the car is also considered to be “Personal Data”.
“natural person”: the information must be about a “natural” living person and not a “legal” existing person such as a corporation (Corporate Personhood under the 14th Amendment). For example, Calvin Klein – the fashion designer – is a living natural person, but Calvin Klein – the company – is not. Even though the company has certain rights, but it does not have “Personal Data” like a living natural person does.
Personal Data is protected under the law regardless of its properties. For instance, Personal Data does not need to be private to be protected. Corollary, Personal Data could be made publicly available, yet still be protected under the law. Similarly, Personal Data is protected by law whether it is sensitive or not sensitive, severe or not severe, descriptive or non-descriptive, etc.
Personal Data could have any of the following properties:
Privacy:
Private: known only to the owner of the Personal Data
Semi-Private: known only to specific people
Semi-public: Known by anyone or everyone except by specific people
Public: known by anyone or everyone
Severity:
Severe such as a social security number
Semi-severe such as nationality, race, religion, age, etc.
Not-severe such as the employer, profession, or degree of a person
Dependency:
Personal Data is dependent on the relationship between the owner of the Personal Data and the recipient with whom the Personal Data is shared. For example, someone’s phone number could be revealed for one contact but masked for another.
In order to support the “dependency” property of Personal Data, users should be able to not just defined different properties to their Personal Data for different contacts, but also dynamically change those properties as relationships evolve.
For example, a woman may first mask her phone number at the very begging of her relationship with a man whom she just met. Masking a phone number means that the man can call the woman by clicking on the number but cannot know what the actual number is, and thus, cannot share the number with anyone. As she gains more confidence in him, she may unmask her number, only to make it inaccessible to him when she breaks up with him.
The ability to dynamically change the privacy settings of certain Personal Data shared with a contact is critical in empowering users with full control of their privacy and their Personal Data.
The parameters that could be used to customize the privacy of a user relative to a specific contact are the following:
Access:
Accessible
Semi-private
Semi-public
Public
Inaccessible
Private
Usage:
Usable
Unusable
Masking:
Masked
Unmasked
Period:
From Date
To Date