When Everything is “Personal”: GDPR vs. CCPA

What qualifies as "personal data" under the GDPR and "personal information" under the CCPA? This comparative guide explains why both laws adopt intentionally broad definitions and debunks common myths about public, hashed, pseudonymous, and household data.

Share
When Everything is “Personal”: GDPR vs. CCPA
If your client is subject to the GDPR or CCPA, stop searching for loopholes in the definition of “personal information.” You won’t find any. Both laws cast a deliberately wide net. The real challenge isn’t whether data is in scope, but what you do once it is: establish a lawful basis, honor consumer rights, minimize what you collect, and set guardrails around its use

Intro

Ever feel like privacy lawyers treat everything as “personal data”? That’s because under both the EU’s GDPR and California’s CCPA/CPRA, almost everything that touches on people is in scope. These laws are intentionally broad: regulators don’t want organizations sidestepping responsibility with clever definitions. Whether it’s a doctor’s prescribing habits in Europe or household device data in California, both frameworks extend protection far beyond names and emails. The bottom line: if data even brushes against an individual or household, it counts.

This article unpacks how both GDPR and CCPA/CPRA answer the question of what “personal data” or “personal information” really means. It breaks down the building blocks regulators use to define the term, compares how Europe and California frame scope and exclusions, and clears up common myths — like whether public data is exempt, whether hashed or pseudonymous data still counts, and what the “right to be forgotten” actually covers. The goal is to give practitioners a practical lens: not just what’s in scope, but how to manage it responsibly.

GDPR: Any Info, About Any Person

Under the GDPR, personal data is any information relating to an identified or identifiable natural person. That definition is intentionally sweeping. This broad interpretation has been consistently emphasized for many years, starting with the seminal 2007 Article 29 Working Party Opinion on the concept of personal data (Source 1 below), which remains a cornerstone reference for EU regulators and practitioners:

1. First building block: “Any information.”
GDPR means this literally. Any information counts — objective facts like blood type, subjective judgments like “reliable borrower,” even a doodle drawn by a child if it reveals something about her family. The law explicitly states that it does not matter whether the information is true or false, public or private, sensitive or trivial.

2. Second building block: “Relating to.”
Data can relate to a person in at least three ways:

  • By its content. This is the most straightforward situation: information is directly about the individual. Examples include a person’s name, a fingerprint, results of a medical analysis, or the image of a person captured on video. Even professional information such as drug prescription data about a physician, or the minutes of a meeting recording who attended and what was said, can relate to an individual by content.
  • By its purpose. Information can also be considered personal because it is processed with the purpose of evaluating, influencing, or treating someone in a certain way. For instance, adtech cookies or device fingerprints may only appear to relate to a browser or machine, but if they are deployed specifically to single out an individual for targeted advertising, the data relates to that person. In fact, EU data protection authorities have made clear that because the very purpose of these technologies is to deliver a particular ad to a particular person, such data cannot realistically be treated as anonymized. In practice, this means that full anonymization in the context of advertising is virtually impossible under GDPR: any dataset used to target ads at individuals will be deemed personal data. Similarly, a call log kept to monitor an employee’s productivity relates to that employee, true or false statements, and even seemingly trivial facts (like browsing history or an IP address). The law makes clear that format doesn’t matter: text, numbers, images, sound recordings, video, or even a child’s drawing can qualify.
  • By its result. Even where data does not appear to be about a person and was not collected for that purpose, it can still “relate to” an individual if its use impacts their rights or interests. Bus GPS data, for example, may appear to be about vehicles, but if the information is later used to assess driver performance, it clearly relates to the drivers. Likewise, information about a house’s value may become personal data if used by tax authorities to determine the owner’s obligations.

These three pathways — content, purpose, and result — are alternative, not cumulative. Any one of them suffices for information to “relate to” a person. Importantly, the same piece of information can relate to different individuals depending on context. A company phone log might relate to the employee making calls (content), the employer monitoring productivity (purpose), and even the called party (result). This expansive approach underscores why regulators emphasize that “relating to” must be interpreted broadly, so organizations do not sidestep obligations by claiming the data is only about objects, processes, or events.

3. Third building block: “Identified or identifiable.”
This is where Recital 26 kicks in: identifiability is assessed against all means reasonably likely to be used, not only today’s technology but also foreseeable developments (Source 1 below). This is why IP addresses, device IDs, and pseudonymous IDs are usually in scope — they can reasonably lead back to a person.

4. Fourth building block: “Natural person.”
GDPR protects living human beings, not corporations or deceased persons (Source 1 below). However, data about a company can still be “personal data” if it relates to its owners or employees (think sole proprietors or company emails that clearly identify individuals).

The takeaway: GDPR doesn’t care whether the information is already public, mundane, or even inaccurate. If it relates to you, it’s personal data.

CCPA/CPRA: Consumers, Households, and a Kitchen Sink

California’s law is just as ambitious, but it frames things differently. Personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (Cal. Civ. Code § 1798.140(v)(1)). The definition has a distinctive California flavor, but it was meant to mirror the expansive approach of GDPR — covering almost any data point that can be tied to a person or household.

I wrote an article, originally published in 2019 by the California Lawyers Association, that breaks down the CCPA’s broad definition of “personal information” (Source 2 below). While the piece predates the CPRA amendments (so some statutory citations are now outdated), its analysis remains highly relevant today. If anything, the scope has only broadened under CPRA.

Let’s walk through California’s four building blocks:

Information
The CCPA’s use of the word information signals a legislative intent for a broad scope. Both objective data (like lab test results) and subjective judgments (like “reliable borrower”) count. The information need not be true, sensitive, or digital — browsing history, an IP address, an image, or even sound recordings can qualify. Unlike GDPR, CCPA does not require that information be part of a filing system.

That Identifies, Relates to, Describes, Is Reasonably Capable of Being Associated With, or Could Reasonably Be Linked
This is the heart of the definition: what kind of connection (or nexus) must exist between data and a consumer or household? The answer, in short, is that data can be personal even if not obviously “about” someone at first glance. The article explains three pathways, which mirror those under GDPR:

  • By content (a name or fingerprint directly identifies an individual).
  • By purpose (adtech cookies may look like device data, but since their purpose is to target individuals, they relate to people).
  • By result (bus GPS data may seem about vehicles, but when used to evaluate driver performance, it relates to drivers).

Directly or Indirectly
Information may connect to people indirectly, through unique combinations of traits (e.g., age + job title + city). The article notes that CCPA requires considering cost, effort, and available technology to decide whether data is linkable. An IP address, for example, might not always identify a person on its own, but in combination with other data it often does. The bottom line: identification can be direct or circumstantial.

With a Particular Consumer or Household
CCPA uniquely protects not just individual consumers (California residents) but also households. A “household” is broadly understood as people living together and sharing devices or services. That means telemetry from a shared smart TV or thermostat falls in scope — even if no single user is identified. However, most CCPA rights (access, deletion, opt-out) are tied to consumers, not households alone. (Side note: if you think the EU somehow “spares” household data from the scope of GDPR, please read a bit more case law or enforcement actions — wake up and “smell the roses,” as they say.)

On top of this, CPRA provides long illustrative lists of what counts: names, aliases, IP addresses, email addresses, account numbers, biometric data, geolocation, browsing history, and even inferences about preferences and behavior. It also introduces a category of Sensitive Personal Information (like government IDs, precise location, or financial data) with extra rules. (There is, of course, a similar concept under GDPR.)

And yes, CPRA has some exclusions:

  • Publicly available data (with caveats: biometric info collected without your knowledge is not public).
  • Truthful information of public concern (e.g., facts in a news story).
  • De-identified and aggregated data, if strict safeguards prevent re-identification.

Europe and California: Same Song, Different Lyrics

So yes, both GDPR and CPRA are deliberately overinclusive. The safest mindset: if your data relates to someone — or even a group of someones — it’s probably “personal.”

When you line the two frameworks up, the similarities are striking. Both are designed to catch as much information as possible in their nets:

  • GDPR uses a philosophical definition: if it relates to a human being, it’s personal data — no matter the context (Source 1 below).
  • CPRA uses a laundry-list definition: here’s everything we mean, and by the way, add “households” too (Source 2 below).

The biggest differences are in exclusions and categories:

  • GDPR does not carve out public information or de-identified data (though anonymous data truly outside identifiability is out of scope).
  • CPRA explicitly excludes those categories — but only if the business truly meets the high bar of de-identification or aggregation (Source 2 below).

This is not a bug; it’s the feature. Regulators don’t want you debating in the margins; they want you treating data about people like… data about people.

As Elizabeth put it in her article, On Personal Data (this is very much a myth-buster piece that I would definitely recommend for reading), personal does not mean private at all. Hashed data? Still personal. Putting data on a blockchain? It depends. Even public details — your name, city, employer — are personal data if they relate to you.

(Side note: she also “clears away the noise” on a few more topics: (1) Personal data is not illegal — the real question is always, what’s your lawful basis for using it? (2) The right to be forgotten ≠ delete everything — erasure rights are limited and full of exceptions (public interest, research, statistics); it’s not the free-for-all some people imagine. (3) Personal data is, well, personal — individuals should have meaningful control over data that relates to them, and concepts like self-sovereign identity push power back toward people.)

Key Myths Busted

  1. Personal data ≠ private data
    Even public details — your name, city, employer — are personal data if they relate to you. Privacy and “personal” are not the same thing.
  2. Processing personal data is not illegal
    Hashed data? Still personal. Putting data on a blockchain? Probably regulated, but it depends. The good news: it is not all illegal to use it. The real question is you should ask is: what’s your lawful basis for using it?
  3. The right to be forgotten ≠ delete everything
    Erasure rights are limited and full of exceptions (public interest, research, statistics). It’s not the free-for-all some people imagine.
  4. Personal data is, well, personal
    Individuals have control over data that relates to them. This is a legal requirement. Concepts like self-sovereign identity push power back toward people.

Sources

  1. Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data (WP136).
  2. Lydia de la Torre, What Is “Personal Information” Under CCPA?, California Lawyers Association (2019).
  3. Elizabeth M. Renieris, On Personal Data (2018).

Additional Resources

Anonymization

Case-law

Copyright/IP address cases

Professional data cases