New privacy laws are changing the way businesses handle personal information of their employees and customers. It is important to know what data sets constitute personal information (PI) or sensitive PI to ensure compliance with new laws and avoid accidental data breaches.
PI is defined differently across privacy laws, but generally includes any information that can be used to identify an individual. This can include names, contact information, ID numbers, IP addresses and other online identifiers. The PI may also contain more subjective information, such as personal opinions index and perspectives. It’s important to note that not all data can be considered to be personal, and data aggregates may reduce the risk of being re-identified.
The sensitive PPII is protected more than PI, and can contain information regarding a person’s race or ethnicity, gender, sexual orientation, religion, or other beliefs. It can also contain information on criminal convictions, medical or health information, biometrics, financial data or other information that is related to their occupation or job. It could also include information that can cause a person to feel embarrassed or damage if misused.
As a rule limit the amount of personal information you share with other people. Consider implementing a policy for data retention that limits the amount of time you can keep your personal information and a system to delete it upon request. This will allow you to keep CPRA compliance and reduce the risk of fines.