Personal Data: Definition, Examples and Global Processing Requirements

Personal data sits at the heart of modern analytics and marketing. Under GDPR, personal data is any information relating to an identified or identifiable natural person. Knowing what counts as personal data is essential for building analytics that comply with global rules.

What is Personal Data

Personal data is any information about an identified or identifiable natural person. The person may be identified directly or indirectly through identifiers or factors specific to physical, physiological, genetic, mental, economic, cultural, or social characteristics.

Identification Criteria

Direct identification:

• First and last name
• Passport or ID number
• Social security number
• Biometric data

Indirect identification:

• IP addresses combined with other information
• Cookie identifiers
• Location data
• Behavioral patterns

Examples in Web Analytics

Obvious identifiers:

• Email addresses
• Phone numbers
• Postal addresses

Less obvious but still identifying:

• User IDs in analytics systems
• Browser fingerprinting data
• Activity timestamps combined with other parameters
• Purchase or conversion data

Classification

Ordinary Personal Data

Contact InformationIdentification DataTechnical Information

Examples:

• First and last name
• Email
• Phone number
• Postal address

Notes:

• Requires lawful basis
• Subject to minimization
• Subject to purpose limitation

Examples:

• Document numbers
• Customer ID
• Analytics User ID
• Device ID

Notes:

• High identification potential
• Needs extra protection
• Audit access

Examples:

• IP addresses
• Cookie data
• Browser fingerprints
• Session ID

Notes:

• May be personal depending on context
• Identification potential must be analyzed
• Apply minimization

Special Categories

GDPR identifies special categories that require enhanced protection: data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, and data on sexual orientation.

Restrictions on Special Categories

Principles:

• Default prohibition on processing
• Exceptions require explicit consent
• Additional technical safeguards
• Mandatory Data Protection Impact Assessment (DPIA)

Data Type	Requirements	Analytics Examples
Racial/Ethnic Data	Explicit consent or vital interests	Demographic segmentation
Political Views	Explicit consent or public interest	Political-preference targeting
Health Data	Medical purposes or explicit consent	Health & wellness apps, fitness trackers
Biometric Data	Unique identification	Face ID, voice assistants, fingerprint scanners

International Standards

GDPR (European Union)

GDPR reads personal data broadly. It includes any information relating to an identified or identifiable natural person, including subjective items like opinions, assessments, and judgments.

Key features:

• Extraterritorial scope
• Accountability principle
• Privacy by design
• High fines (up to 4% of global turnover)

CCPA/CPRA (California, USA)

CCPA defines personal information as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, device, or household."

CPRA additions:

• "Sensitive Personal Information" (SPI) concept
• Right to limit use of SPI
• California Privacy Protection Agency (CPPA)

PIPEDA (Canada)

PIPEDA uses a broad definition: any information that can identify a person, including traditional identifiers and financial or medical information.

PIPEDA's 10 Fair Information Principles:

1. Accountability, appoint someone responsible for compliance
2. Identifying Purposes, state collection reasons clearly
3. Consent, obtain permission before collection
4. Limiting Collection, only necessary information
5. Limiting Use and Disclosure, strictly for stated purposes
6. Accuracy, keep data current
7. Safeguards, technical and organizational
8. Openness, transparent policies
9. Individual Access, right to view personal data
10. Challenging Compliance, complaint procedures

LGPD (Brazil)

LGPD defines personal data as any information that helps directly or indirectly identify a person. Modeled on GDPR, it unifies 40 sectoral regulations.

Pseudonymization and Anonymization

Pseudonymization

Pseudonymization replaces or removes identifying fields. Pseudonymized data remains personal data under GDPR.

Pseudonymization Methods

Techniques:

• Replacing names with reference numbers
• Hashing identifiers
• Tokenization
• Encryption with separate key storage

Benefits:

• Lower risk for subjects
• Aligns with minimization
• Simpler analytics processing
• Preserves re-identification when needed

Anonymization

Anonymized data sits outside GDPR if anonymization is irreversible and the subject can no longer be identified.

True anonymization criteria:

• No singling out
• No linkability
• No inference

graph LR
    A[Personal Data] --> B{Data Processing}
    B --> C[Pseudonymization]
    B --> D[Anonymization]
    C --> E[Remains Personal Data]
    C --> F[Requires GDPR Protection]
    D --> G[Not Personal Data]
    D --> H[Not Subject to GDPR]
    E --> I[Simplified Processing]
    F --> I
    G --> J[Free Processing]
    H --> J

Personal Data in Analytics

What Analytics Systems Collect

Modern analytics collect a lot. Much of it can qualify as personal data.

Session data:

• Unique session IDs
• Activity timestamps
• Page-view sequences
• Duration and bounce data

Device fingerprinting:

• Browser and OS parameters
• Screen resolution and timezone
• Installed fonts and plugins
• Canvas fingerprints

Behavioral analytics:

• Heatmaps and click tracking
• Scroll depth and time on page
• Form interaction
• A/B testing data

When Behavior Becomes Personal Data

Even without names or emails, behavior plus device characteristics plus timing can produce a unique profile that identifies a user.

Consent Models

Opt-in (GDPR)Opt-out (CCPA)

Requirements:

• No cookies before consent
• Granular category selection
• Easy withdrawal
• Documented consents

Implementation:

• Cookie banners with active choice
• Consent Management Platforms (CMP)
• Integration with analytics
• Periodic consent renewal

Requirements:

• Tracking on by default
• Visible "Do Not Sell" link
• Global Privacy Control (GPC) support
• Deletion on request

Implementation:

• Privacy policy with clear opt-out steps
• Automatic GPC detection
• User dashboard for data
• Deletion workflows

Compliance-Friendly Tech

Privacy-first architecture:

• Server-side tracking for control
• First-party instead of third-party cookies
• Edge computing for processing locality
• Short retention

Data governance:

• Data inventory and mapping
• DPIA process
• Compliance audits
• Incident response plans

Subject Rights

Universal Rights

Most modern laws grant similar rights.

Right to information:

• Transparency in collection and processing
• Clear purposes
• Retention periods
• Contact details for the responsible party

Right of access:

• Confirmation of processing
• Copies of personal data
• Information about purposes and recipients
• Sources, if not collected from the subject

Right to rectification:

• Correction of inaccurate data
• Completion of incomplete data
• Notice to third parties

Right to erasure ("right to be forgotten"):

• Deletion under certain conditions
• Notice to third parties
• Balance with other rights (free expression, public interest)

GDPR-Specific Rights

Right to restriction. Temporary suspension during disputes; restriction instead of deletion; notice when restrictions lift.

Right to data portability. Structured format; transfer to another controller; technical compatibility.

Right to object. Against legitimate-interest processing; absolute against direct marketing; exceptions for compelling legitimate grounds.

Global Trends

Direction of Travel

Convergence:

• GDPR principles globalize
• International requirements harmonize
• Mutual recognition of adequacy decisions

Stronger enforcement:

• Higher fines
• More DPA investigations
• Class actions and collective redress

Specialized regulation:

• AI and automated decisions
• Facial recognition limits
• Children's privacy (Age Appropriate Design Code)

New Jurisdictions

Asia-Pacific:

• Personal Data Protection Act (PDPA) Singapore
• Privacy Act 1988 Australia (2022 amendments)
• Personal Information Protection Law (PIPL) China

Africa and Latin America:

• Protection of Personal Information Act (POPIA) South Africa
• Ley de Protección de Datos Personales Argentina
• Data Protection Act Kenya

Gartner Forecast

Gartner expected modern privacy regulation to cover most consumer data by 2024, pushing companies toward a global compliance approach.

Impact on Analytics Design

Privacy by Design

Proactive, not reactive. Prevent issues at design time. Run continuous PIAs. Use a privacy-first approach to features.

Privacy as the default. Maximum privacy by default. Opt-in for additional collection. Automatic retention limits.

Privacy embedded into design. Architectural integration. Cannot bypass privacy controls. End-to-end protection.

Full functionality, positive sum. Privacy should not break functionality. Build win-win solutions. Innovate around the balance between privacy and utility.

Technical Approaches

Differential privacy:

• Add mathematical noise
• Plausible deniability for individual records
• Statistical utility with individual privacy

Federated learning:

• Train without centralization
• On-device processing
• Aggregated insights without raw data sharing

Homomorphic encryption:

• Compute on encrypted data
• Zero-knowledge proof systems
• Secure multi-party computation

graph TD
    A[Raw Personal Data] --> B{Privacy-enhancing Technologies}
    B --> C[Differential Privacy]
    B --> D[Federated Learning]
    B --> E[Homomorphic Encryption]
    C --> F[Statistically Useful Aggregates]
    D --> G[Trained Models]
    E --> H[Encrypted Insights]
    F --> I[Privacy-safe Analytics]
    G --> I
    H --> I

Compliance Recommendations

Organizational

Roles:

• Data Protection Officer (DPO) for GDPR
• Privacy Officer for CCPA/CPRA
• Cross-functional privacy committee

Documentation:

• Records of Processing Activities (RoPA)
• Data flow diagrams
• Privacy policies and notices

Training:

• Privacy training for engineers
• Legal updates for management
• Incident response procedures

Technical

Data minimization:

• Collect only what is necessary
• Purpose limitation
• Automated retention and deletion

Security:

• Encryption at rest and in transit
• Access controls and authentication
• Regular audits and pentests

Transparency:

• User-friendly privacy dashboards
• Clear consent UI
• Accessible privacy policies

Challenges

Utility vs Privacy

Insights vs individual privacy:

• Detailed tracking helps business intelligence
• Privacy expectations are rising
• Anonymizing large datasets is hard

Real-time vs consent:

• Real-time analytics demand speed
• Consent checks add latency
• Granular consent is complex to manage

International Compliance

Multi-jurisdictional:

• Definitions vary
• Requirements conflict
• Extraterritorial reach

Localization:

• Cross-border transfer limits
• Regional data centers
• Adequacy decisions and standard contractual clauses

We have surveyed how personal data is defined and classified globally. Statable is built on Privacy by Design and supports global compliance without losing analytical value.

The platform plans to ship advanced privacy-enhancing technologies, including differential privacy for statistical reporting and federated learning for behavioral insights, so analytics stay rich without compromising privacy.

---

About AI participation in writing articles

This article, like many others on our site, was created, written and proofread by a team of developers. Of course, not without the participation of AI assistants. We don't hide this and believe that modern systems are already quite good at handling simple tasks and, relatively speaking, writing an article about Viewport yourself is quite strange. It won't come out significantly better and will take a lot of time. But providing basic understanding to beginner webmasters is necessary. Of course, after the article is written by assistants - there's always proofreading, and this is where not one or two people participate, and only after that the article is published.

Ready to ensure full compliance with data protection requirements?

Sign up for a free trial of our platform and get access to analytics tools designed with global privacy compliance standards. Automatic compliance monitoring, built-in privacy controls, and transparent user consent management out of the box.

---

Ready to take control of your web analytics? Try Statable free for 30 days — no credit card required, full feature access, GDPR-compliant by default. Start your free trial or view a live demo.