The General Data Protection Regulation (GDPR) states that personal data is all information about an identified or identifiable natural person. If personal data – whether or not in combination with other data – can identify a person without making a special effort, then privacy is at stake. For example name and address details.
Personal data also includes e-mail addresses, passport photos, fingerprints and IP addresses. And data that gives a rating about a person, for example someone’s IQ.
Whether or not a personal data is involved is partly determined by the context. The profession of a person is considered as personal data, but in itself, it does not give the possibility to identify a person. The profession of a nuclear physicist in combination with other data can identify a person. If we know that the nuclear physicist lives on Ibiza, we might know who it is about.
What is sensitive personal data?
The GDPR defines some categories of personal data as sensitive personal data. This includes data that, if leaked, could make a serious impact on an individual’s privacy. Examples of sensitive personal data are religious data, race, medical data, criminal records, Social Security Number, etc. Extra safety guidelines and regulations apply to organizations that process this kind of data.
The GDPR and personal data
The GDPR provides guidelines when processing personal data of citizens of the EEA (European Economic Area). In short, concerning WordPress websites, the following principles are to be taken into account:
- Provide a privacy statement, in which you describe how you handle personal data, and for which purposes
- When disclosing data to third parties or processors, you’ll probably need to sign processing agreements with these parties
- Define a lawful basis for any form of the processing of personal data
- When using cookies, the lawful basis for processing in most cases is consent. Therefore most websites will need a cookie banner
- The consent banner needs to link to a cookie policy, which clearly states the placed cookies, along with information like purpose and persistence
- When storing information (other than via the use of cookies), we have to provide the possibility to execute several rights, like the right of access and the right to rectification
While it seems that the big fuzz about cookies began with the enforcement of the GDPR, the upcoming ePrivacy Directive gives us more concrete guidelines on how to handle cookies and consent. This why the Complianz plugin is built according to the latest draft of the ePrivacy Directive
The CCPA and personal data
The CCPA is, in many ways, a lot like the GDPR and applies to the processing of data of all California residents. We go more in-depth about this legislation in our blog about the CCPA. In regard to personal data and WordPress websites, we have to take the following into account:
- Provide a privacy statement. There are some differences as to the requirements of this document compared to the GDPR.
- There is no need to ask for consent, however websites need to clearly state the use of cookies. So a cookie banner is also required.
- Websites must provide the possibility to opt-out of the processing of personal data (placed cookies)
Pipeda and personal data
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).