Personal data is any information relating to an identified or identifiable living person, under GDPR Article 4(1). It spans obvious identifiers like a name or email and online identifiers like an IP address or cookie ID. US law calls the broad equivalent personal information.
The distinction matters because GDPR, CCPA, and the everyday term PII do not mean exactly the same thing. Below: the legal definition, real examples, direct versus indirect identifiers, sensitive category data, what falls outside the rule, and how GDPR, CCPA, and PII compare.
What Is the Legal Definition of Personal Data?
Personal data means any information relating to an identified or identifiable natural person, under GDPR Article 4(1). An identifiable person can be identified directly or indirectly, through an identifier such as a name, an ID number, location data, or an online identifier. This definition covers far more than a name and an address.
The word "any" in the statute is deliberate. GDPR's drafters wrote the definition broadly on purpose, so new types of data could not slip through the gaps. That breadth is why most information a website collects, from a contact form entry to a browser cookie, falls under the rule.
What Are Examples of Personal Data?
Personal data covers a wide range of information, including:
- Basic identifiers: full name, date of birth, national ID or passport number
- Contact details: home address, personal email address, phone number
- Online identifiers: IP address, cookie ID, device advertising ID
- Financial and physical data: bank or card numbers, photographs, biometric data such as fingerprints
The European Commission gives a concrete example set. It includes a name and surname, a home address, and a named personal email. It also lists an IP address, an ID card number, a cookie ID, a phone's advertising identifier, and a hospital or doctor's unique patient symbol. Two or more pieces of information that only identify someone when combined also count as personal data.
Not every version of a data type qualifies, though. The European Commission draws a sharp line between a personal email such as "name.surname@company.com" and a generic one such as "info@company.com". The first identifies a person. The second identifies a role at a company, not an individual.
Directly vs Indirectly Identifiable: How "Identifiable" Works
Data is personal whether it identifies someone directly, through a name or email, or indirectly, through information that singles a person out only in combination. The legal test is whether a person is identifiable, not whether they are already named.
Direct identification uses an identifier that points to one person on its own: a name, a passport number, or a vehicle registration number. Indirect identification happens when separate pieces of information, none identifying on their own, combine to distinguish one individual from everyone else. The UK's Information Commissioner's Office gives a concrete example. A combination of age, occupation, and place of residence can single out a specific person, even though no single factor does it alone.
This is why a dataset with names removed is not automatically safe. If an organization can still combine the remaining fields, or reasonably expects someone else could, the data stays personal under the law.
What Is Sensitive (Special Category) Personal Data?
Sensitive data, called special category data under GDPR Article 9, is a subset of personal data that needs extra protection. Exposure carries a higher risk of harm or discrimination. Processing it is prohibited by default, unless a specific lawful condition applies, such as the person's explicit consent.
GDPR Article 9(1) lists eight special categories:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data used for unique identification
- Health data
- Sex life or sexual orientation
CCPA runs a parallel concept called sensitive personal information, and its list runs wider than GDPR's. It covers Social Security numbers, account login credentials, financial account numbers, and precise geolocation. It also covers mail or message contents, genetic and biometric identification data, health and sexual orientation information, and racial, ethnic, religious, or union-membership information. A 2024 CCPA amendment added citizenship and immigration status to this sensitive class. Consumers get extra rights over this category, including the right to limit how a business uses it.
Are Cookies and IP Addresses Personal Data?
Yes. Cookie IDs, IP addresses, and advertising or tracking IDs are personal data when they can be linked to a person, directly or indirectly. GDPR names them as online identifiers. The UK's ICO groups IP addresses and cookie identifiers together as online identifiers that may be personal data. The European Commission's own example list includes both.
The practical nuance matters here. An IP address can be personal data even if a website operator alone cannot trace it to a person. Someone else, such as an internet service provider, often can make that link. CCPA reaches a similar result from the US side. It classifies an IP address as personal information when it can reasonably be linked to a consumer or household. Legal commentary notes the exact threshold gets debated case by case. Cybersecurity practitioners sometimes argue a bare IP address identifies a device rather than a human. Regulators and courts, though, consistently treat it as personal data once any reasonable means exists to trace it back to a person.
This is the direct link to cookie consent. Most cookies your analytics, ads, or marketing tools set carry an identifier that meets this bar. Any site setting non-essential cookies must meet what the GDPR requires for cookies before those cookies load.
What Is NOT Personal Data? (Anonymized vs Pseudonymized)
Data falls outside GDPR and CCPA only if it is truly anonymized, meaning re-identifying the person is no longer reasonably possible. Anonymization has to be irreversible to count.
Pseudonymized data is different, and this is the distinction most website owners miss. Pseudonymization swaps a direct identifier, like a name, for a code or reference number. A separate key still exists somewhere that can map the code back to the person. Under GDPR Article 4(5), that surviving key is exactly why pseudonymized data still counts as personal data. As long as re-identification stays technically possible, the data stays inside the law's scope.
| State | Identity link | Legal status |
|---|---|---|
| Anonymized (true) | Broken permanently, no key exists | Not personal data |
| Pseudonymized | Maintained via a separate key | Still personal data |
Two more categories fall outside the definition entirely. Information about a deceased person is not personal data under GDPR. Information about a company or other legal entity, rather than a natural person, is not personal data either. A business email like "info@company.com" fits this second case: it identifies a role, not an individual.
Personal Data vs Personal Information vs PII: GDPR and CCPA Compared
GDPR, CCPA, and the term PII are not three names for the same thing. All PII is personal data, but not all personal data is PII, and the three terms come from different legal traditions.
| Term | Where it comes from | Scope |
|---|---|---|
| Personal data | GDPR (EU/UK) | Broadest: any information relating to an identified or identifiable person, explicitly including online identifiers |
| Personal information | CCPA/CPRA (California) | Broad, and uniquely extends to a consumer's household, not just the individual |
| PII (personally identifiable information) | US practice, no single federal statute | Narrower: data that traces or distinguishes one person's identity, split into direct identifiers and indirect identifiers that only identify in combination |
The practical takeaway: the GDPR standard itself has no concept of PII at all. PII is a US practitioner term, defined variously by agencies like NIST and the Department of Labor rather than by one uniform law. It tends to focus on data that can trace an identity, narrower than the full range GDPR's "relates to" test covers. CCPA's "personal information" sits closer to GDPR's breadth than PII does, since it also names online identifiers, browsing history, and geolocation data explicitly. It goes further than GDPR in one respect: it extends to a consumer's whole household, not only the individual.
Why the Definition of Personal Data Matters for Your Website
Because online identifiers count as personal data, almost any website running analytics, advertising, or marketing cookies is processing personal data. That happens the moment a visitor loads a tracked page. This single fact triggers GDPR and CCPA duties: a lawful basis for processing, transparency about what is collected, and usually consent before cookies load.
In plain terms, a visitor who triggers a Google Analytics or ad-pixel cookie has just had their personal data processed. That is true whether or not your business ever sees their name. Whether data counts as personal is the trigger for most global privacy laws, not an edge case reserved for health or financial data.
For the practical steps to close that gap, see our guide on how to make your website GDPR compliant.
How Consently Helps You Manage the Personal Data Your Website Collects
Consently gives you the tools to manage the personal data your site collects through cookies and trackers. You meet consent and transparency requirements without hiring a lawyer or a developer.
Because cookie IDs and IP addresses are personal data, a site that sets non-essential cookies needs a valid consent basis before those cookies fire. Consently's cookie consent banner handles that step directly, with GDPR opt-in and CCPA opt-out templates that switch automatically by visitor location. EU visitors see an opt-in prompt; US visitors see an opt-out option by default.
Behind the banner, Consently scans your site automatically and blocks non-essential cookies and trackers until a visitor gives consent. Scripts do not fire without a lawful basis. Every consent choice a visitor makes is stored in a consent log, giving you a timestamped record for a regulator or a client to review.
Consently manages the cookie and tracker layer of personal-data compliance specifically. It does not map or inventory every category of personal data your business holds elsewhere, such as in a CRM or a payroll system. Consently is a GDPR cookie consent solution built around exactly this problem. Try Consently free and add a consent-ready banner to your site in minutes.
FAQs
What is personal data in simple terms?
Personal data is any information that relates to an identified or identifiable living person, from a name to an IP address or cookie ID. If the information can point back to a specific individual, directly or indirectly, it counts.
What are 5 examples of personal data?
Five common examples are a full name, a home address, an email address, an IP address, and a cookie ID. GDPR and CCPA both treat all five as personal data or personal information.
Is an IP address personal data?
Yes. GDPR names IP addresses as online identifiers, and CCPA classifies them as personal information when they can reasonably be linked to a consumer or household. This holds even when a website operator alone cannot trace the address, since an internet service provider often can.
Is an email address personal data?
A personal email address, such as one containing someone's name, is personal data. A generic role-based address like "info@company.com" is not, because it identifies a function at a company rather than an individual.
What is the difference between personal data and sensitive personal data?
Personal data is any information relating to an identifiable person. Sensitive personal data, called special category data under GDPR, is a narrower subset covering things like health, genetics, biometrics, and religious or political beliefs. It carries stricter processing rules than ordinary personal data.
Is personal data the same as PII?
No. All PII is personal data, but not all personal data is PII. PII is a US term with no single federal definition, focused on identity-tracing information. Personal data is the broader GDPR term that explicitly includes cookies and IP addresses.
What is not considered personal data?
Truly anonymized data, where re-identification is not reasonably possible, is not personal data. Information about a deceased person and information about a company, rather than a natural person, also fall outside the definition.
Is a name alone personal data?
Yes, a full name is a direct identifier and counts as personal data on its own in most contexts. It typically identifies one specific person without needing to combine with anything else.

