GDPR defines Personal Data as 

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


CCPA defines Personal Data as

Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

Practically, for most website owners, this translates to any data that could potentially identify a specific individual. This includes:

  • Names and Adresses
  • IP Addresses
  • Email Adresses
  • Financial Information (PIFI)
  • Unique Identifiers (like passport or social security numbers)
  • Medical information
  • Biometric elements (facial recognition, fingerprint)
  • A person’s location, occupation, gender, etc.

It's important to note that the GDPR and CCPA deals with the total sum of information saved on users. So while a data-set in itself might not be enough to identify users, it would still be considered personal data if it could be used to do so when combined with another data-set.

A good example of this is a list of first names. It would not be a breach of GDPR and CCPA to create such a list, maybe to identify the most popular first name of your users. You wouldn't be able to identify any individual from a list saying 'John, Jane, Mike'. But if you combined this list with any other values, such as surnames, emails or similar, it might be enough to identify an individual. And that would be a breach.

GDPR and CCPA is in most aspects similar. If you have any questions on GDPR, try looking over our Frequently Asked Questions on GDPR.

You're also welcome to contact us at if you have any questions.