Which of the following data categories are companies prohibited to collect under the gdpr?
‘Personal Data’ has different legal definitions in the GDPR, CCPA in California, CDPA in Virginia, LGPD in Brazil and other regulations. Show Although personal data is sometimes used interchangeably with PII or personally identifiable information, “personal data” in the GDPR refers to a more specific and strict definition with specific examples and therefore is different (broader) than the PII. Unfortunately for organizations, there is currently no global standard legal definition of personal data. While all regulations will follow a common approach, some frameworks are very specific and provide actual examples of personal data, while others are more vague and subject to interpretation. If your organization operates in multiple jurisdictions, you will first need to understand the definitions under each regulation and which regulation(s) apply to the data you collect, use and store. This will allow you to answer questions such as:
Below, we will review the current definitions of personal data under key global data privacy and protection regulations. Curious how personal data, data breach requirements, fines, and other provisions differ across key privacy frameworks? Access the Privacy Law Comparison Table to find out!Compare NowPersonal Data Under CCPAThe CCPA established eleven categories of personal information and provided examples to illustrate most of these categories:
The CCPA does not consider publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records as personal information. In addition, CCPA does not consider personal data the data that has been pseudonymized and de-identified or aggregated and de-identified and because it cannot be reasonably linked to an individual. One of the key differences between the CCPA and GDPR is that GDPR is exclusive to the individual while the CCPA also includes information not only specific to an individual but also to a household. To read more about the official definition of personal data under the CCPA, click here to access the official text (Section 1798.140.(o)) Personal Data under CPRAThe CPRA follows the definitions of “personal data” adopted in CCPA. However, the CPRA introduces specific categories of “sensitive data” defined as “personal information that reveals:
You can learn more about the new sensitive data categories under CPRA by clicking here (on page 23, 1798.140.(ae)). Personal Data Under Virginia CDPAUnder the CDPA, the definition of “personal data” means “any information that is linked or reasonably linkable to an identified or identifiable natural person. ‘Personal data’ does not include “de-identified data or publicly available information” Unlike the CCPA, the CDPA does not provide examples of categories of personal information. Like CCPA, the definition in CDPA excludes any de-identified data and publicly available information. Publicly available information is defined as “information that is from federal, state, or local government records”. In addition, the CDPA adds to its definition of publicly available “information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.” Similar to the CPRA, the CDPA introduces the definition of “sensitive data” which includes:
You can access the definitions of personal and sensitive data under the CDPA by clicking here (59.1-571- Definitions). Personal Data Under Colorado CPAThe definition of ‘Personal Data’ under the CPA is closely related to that of Virginia’s CDPA and states that “personal data means:
As used in this subsection (17)(b), “publicly available information” means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.” In addition, the Colorado CPA does not include data “maintained for employment records purposes.”. Similar to the CDPA and CPRA, the CPA defines sensitive data to “mean (a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status, (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, or (c) personal data from a known child.” To read more about the definitions of persona and sensitive data, please refer to the official text by clicking here (on page 8, 6-1-1303.(17) and on page 10, 6-1-1303.(24)). Personal Data Under GDPRUnder the GDPR, “Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” In addition, the European Commission clarified the above on its website via the Q&A section by mentioning that: Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible. The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR. The website also lists examples of personal data under GDPR. These examples include:
As importantly, it also lists examples of what is not considered personal data. These examples are:
The GDPR also makes a clear distinction between personal data and sensitive data via the “Special Categories”. The Special Category include:
The processing of special category data is prohibited unless:
To access more information about the data in scope under GDPR, please refer to the official GDPR website (Article 4 – Definitions and Article 9 – Processing of special categories of personal data) ConclusionAs you can see, the definitions of personal data vary from one privacy regime to the next. Make sure you have a good understanding of these legal definitions before you work on your data inventory and data mapping initiatives. This is the foundational step of any robust privacy program. To compare the definitions of “Personal Data” and “Sensitive Data” side-by-side for all these regulations and others such as China’s PIPL, Canada’s PIPEDA, or Brazil’s LGPD, please check our Interactive Privacy Table. What personal data can be sold?User data can legally be sold as long as legal conditions for its collection and sale have been met and there isn't any regulation against it. In some instances, for example, data has to be de-identified first. (Learn more: Data Anonymization: The What, Why, and How of Data Anonymization.)
Which of the following is an unacceptable method for obtaining consent?Unambiguous Consent
Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent"(Recital 32).
|