Under state laws, rules, and regulations by General Data Protection Regulation (GDPR), California Online Privacy Protection Act (CalOPPA), and California Consumer Protection Act (CCPA),

the definition of “Personal Data”, or sometimes referred to as “Personally Identifiable Information (PII)” or “Personal Information (PI)”, is as follows:

"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier[…]”

This encompassing definition was intentionally drafted with a broad meaning. On a close examination, it is important to note the following interpretation of some of the critical words:

• “any”: the word “any” implies “any and all”.

• “information”: the word “information” implies raw “data” including any “Personal Data” stored anywhere and in any format which can be true or false, sensitive or banal, and private or public. This means that your privacy doesn’t go out the window if you “Personal Data” is made public, intentionally, accidently, or otherwise.

• “relating to”: the information must be linked to a person to be considered “Personal Data”. However, the information could be either linked directly or indirectly. For example, the value of a house is not personal data until it can be related, linked, or traced to a person, at which time, it will become “Personal Data” of that person.

• “identified or identifiable”: the information does no need to explicitly identify a person to be considered “Personal Data”, but it could implicitly, probably, or even possibly identify a person through a reasonable reference or inference. For instance, if with certain data a person can be physically recognized (identified) from a group, or theoretically singled out (identifiable) from a group, then that data shall be considered as “Personal Data”. For example, a date is just data, but a birth date of a person is “Personal Data” because combined with other information, that birth date could identify that person. Similarly, a model of a car on its own is just raw data, but a car purchased by a person is “Personal Data” because that car may identify that person, his/her purchasing habits, level of income, social status, residency, etc. Furthermore, any embedded information generated by the usage of the car is also considered to be “Personal Data”.

• “natural person”: the information must be about a “natural” living person and not a “legal” existing person such as a corporation (Corporate Personhood under the 14th Amendment). For example, Calvin Klein – the fashion designer – is a living natural person, but Calvin Klein – the company – is not. Even though the company has certain rights, but it does not have “Personal Data” like a living natural person does.

Personal Data is protected under the law regardless of its properties. For instance, Personal Data does not need to be private to be protected. Corollary, Personal Data could be made publicly available, yet still be protected under the law. Similarly, Personal Data is protected by law whether it is sensitive or not sensitive, severe or not severe, descriptive or non-descriptive, etc.

Personal Data could have any of the following properties:

• Privacy:

  • Private: known only to the owner of the Personal Data

  • Semi-Private: known only to specific people

  • Semi-public: Known by anyone or everyone except by specific people

  • Public: known by anyone or everyone

• Severity:

  • Severe such as a social security number

  • Semi-severe such as nationality, race, religion, age, etc.

  • Not-severe such as the employer, profession, or degree of a person

• Dependency:

  • Personal Data is dependent on the relationship between the owner of the Personal Data and the recipient with whom the Personal Data is shared. For example, someone’s phone number could be revealed for one contact but masked for another.