Global Data and Cyber Handbook

United States

Select a Topic
Start Comparison
Key Definitions
Jump to
Key Definitions Start Comparison
Personal data

Last review date: 31 December 2024

Some US privacy laws use the term "personal data" while others use similar varying terms, such as "personal information" or "personally identifying information."  However, these terms are not consistently defined in US law.

For example, the CCPA refers to two different definitions of the same term "personal information." The first definition broadly defines "[p]ersonal information" as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(v)(1).  This definition applies to privacy-related rights and obligations under CCPA.

The second definition of "personal information" is narrow and applies to "reasonable security procedures and practices" and includes:

  • An individual's first name or first initial and the individual's last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
    • Social Security number
    • Driver's license number, identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual
    • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account
    • Medical information
    • Health insurance information
    • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes
    • Information or data collected through the use or operation of an automated license plate recognition system
    • Genetic data
  • A username or email address in combination with a password or security question and answer that would permit access to an online account. Cal. Civ. Code § 1798.81.5(d)(1) and § 1798.82.

HIPAA regulates protected health information (PHI), which is defined as demographic data that either identifies or could reasonably identify an individual and which relates to:

  • Past, present, or future physical or mental health condition of an individual
  • The provision of health care to an individual
  • Past, present, or future payment for the provision of health care to an individual

GLBA regulates the use of (non-public) personal information in the financial services industry. The Act broadly defines "non-public personal information" as personally identifiable financial information that includes a consumer's name, contact details, and financial transaction information.

In the Washington My Health My Data Act, consumer health data is defined as "personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status." The act specifies that the definition includes "any information that a regulated entity or a small business or their respective processor processes to associate or identify a consumer with" certain enumerated health data elements "that is derived or extrapolated from non-health information (such as proxy, derivative, inferred, or emergent data by any means, including algorithms or machine learning)."

Sensitive/special personal data (including personal data subject to additional protections/ restrictions/breach notification obligations)

Last review date: 31 December 2024

Sensitive data includes:

☒   personal data revealing racial or ethnic origin

☒   personal data revealing political opinions

☒   personal data revealing religious or philosophical belief

☒   personal data revealing trade union membership

☒   genetic data

☒   precise geolocation data

☒   biometric data for the purpose of uniquely identifying a natural person

☒   data concerning health/medical information

☒   data concerning a natural person's sex life or sexual orientation

☒   financial information

☒   government identity card or number information

☒   passwords

☒   other

  • Citizenship
  • Immigration status

California's data breach notification laws define "personal information" as a consumer's social security, driver's license, state identification card, or passport number; a consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; a consumer's precise geolocation; the contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication; a consumer's genetic data.

The CCPA defines sensitive personal information (SPI) as a subset of personal information that is more sensitive in nature. SPI includes: (i) government identifiers including Social Security numbers, driver's licenses, state IDs, or passport numbers; (ii) financial account information, which includes account logins, financial account numbers, debit card numbers, or credit card numbers, along with any required security codes, passwords, or credentials; (iii) precise geolocation; (iv) contents of a consumer's mail, email, and text messages, unless the business is the intended recipient: (v) genetic data; (vi) biometric information; (vii) information concerning a consumer's health, sex life, or sexual orientation; and (viii) information about a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership.

Controller vs Processor

Last review date: 31 December 2024

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

  • the controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • the processor/agent is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Answer: Yes, depending on the state. Some US privacy laws use the terms "controller" and "processor," including the consumer privacy laws in Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. In addition, many US privacy laws utilize similar concepts like "service providers" (even if they do not specifically refer to "controllers" and "processors") and apply different obligations depending on the roles of the parties. For example, the CCPA applies different obligations to "businesses," "third parties," "service providers," and "contractors" with most obligations flowing to businesses, and HIPAA similarly establishes different obligations for covered entities and business associates (entities acting essentially as a service provider to the covered entities). Moreover, most data breach notification laws impose notice obligations on the "data owners," and typically require service providers (which maintain data on behalf of a data owner) to notify the data owner of the breach. All other notification obligations would generally flow to the data owner.

{{ $store.state.loadingScreen.message }} ...