What counts as personal data, and why sensitivity varies
With whom would you willingly share sensitive personal information, such as your bank account number?
Would you provide it to a mortgage company if you needed a house loan? Probably. How about for a one-on-one payment app on your phone? Maybe, depending on how badly you want to make cashless transactions between friends.
What about a company selling magazine subscriptions? On the surface, many consumers would hesitate to give up financial info in that situation. But if the magazine came from a well-known publisher offering a 20% discount for automatic billing, some people would agree to that exchange.
There is a wide spectrum of personal data that companies try to collect, and the sensitivity of that data is a factor in whether it is shared. Customers also judge who wants their personal information and how those parties will use it. Collectively, how personal data is collected and used has become known as the "privacy experience," and data protection teams and go-to-market professionals are increasingly aware of it.
"The establishment of a forward-thinking, business-focused data privacy and compliance team that can enable and support your sales team will only become more important as the privacy landscape continues its rapid global expansion," wrote Taylor Dronen, director of data practices and data protection officer at ZoomInfo, an all-in-one AI GTM Platform.
This article covers what personal data is, why its sensitivity varies, how regulations govern it, and what organizations and individuals can do to protect it.
What counts as personal data, and why sensitivity varies
Personal data includes any information that can identify an individual, directly or indirectly. The spectrum of personally identifiable information stretches across many layers, and understanding where data falls on that spectrum shapes how it should be handled.
Directly identifying data (can identify a person on its own):
Full name
Social Security number
Financial account details
Health records
Biometric data (fingerprints, facial recognition data)
Indirectly identifying data (can identify a person when combined with other available information):
IP address
Device ID
Job title
Behavioral data (browsing history, online purchases, social media activity)
Cookie IDs
One important nuance: pseudonymized and de-identified data are still classified as personal data under most regulatory frameworks. Only truly anonymous data falls outside personal data definitions.
Court documents and marriage licenses contain sensitive information but are largely considered public records. Professional information such as corporate email addresses and job titles sits at the less sensitive end of the spectrum, and B2B vendors commonly source this data from LinkedIn profiles, email signatures, and business cards.
The spectrum of personal data lays the foundation for the privacy experience. What makes that experience positive or negative is not just what data is collected, but how clearly organizations explain their collection practices and what they do with the data afterward.
Data privacy vs. data protection vs. data security
These three terms are often used interchangeably, but conflating them leads to misaligned program investments. A company can deploy strong encryption across its entire infrastructure and still fail on privacy if it has no lawful basis for collecting data in the first place. Getting the distinctions right is the first step toward building a coherent program.
Data Privacy | Data Protection | Data Security | |
|---|---|---|---|
Definition | Governs who has the right to access personal data and the rules around consent, transparency, and data subject rights | The technical and organizational measures that enforce those access rights | The controls that prevent unauthorized access, breaches, or loss of data |
Primary focus | Rights and permissions | Enforcement of privacy rules | Prevention of unauthorized access |
Key mechanisms | Privacy notices, consent frameworks, data subject rights processes, lawful basis for processing | Encryption, access controls, breach detection, data retention policies | Firewalls, intrusion detection, identity and access management, vulnerability management |
Who is responsible | Legal, compliance, privacy officers | IT, compliance, privacy engineers | IT security, InfoSec teams |
Personal data privacy sits at the top of this hierarchy: it defines the rules. Data protection implements those rules. Data security defends the infrastructure that holds the data. All three are necessary, but they serve distinct functions.
How the privacy experience shapes customer trust
Transparency about data use is the foundation of a positive data privacy experience. How a company uses the data a customer shares plays a huge role in whether that person has a positive or negative experience with the brand.
Consider robocalls: few consumers would offer up their mobile number if they knew a company was going to sell it to an automated call vendor. But if a company stated upfront that it collects mobile numbers to text customers about relevant offers, more people would share their numbers willingly. The difference is transparency.
"Customers are actually fine with companies using their personal information for the stated purpose of meeting their elevated expectations," according to Salesforce, State of the Connected Customer (2018). "Overwhelming majorities are willing to share relevant personal information (or in the case of business buyers, professional information) in exchange for perks like personalized offers, personalized shopping experiences, and consistent omni-channel interactions."
The Salesforce research also found that business buyers tend to be more tolerant about the use of their personal data than consumers. The gap generally comes down to trust.
"A consumer can only truly consent to the collection, use, and the sale of their personal information, including the terms of service and privacy policies they readily click to agree to, if they understand what information is being collected," said privacy expert Mary Stone Ross in March 2019 (IAPP public forum on the CCPA). Ross co-authored the California Consumer Privacy Act.
One dimension of the privacy experience that is particularly relevant for sales and marketing teams: organizations that purchase third-party personal data, such as B2B contact data, automatically assume the role of data controller and bear full responsibility for lawful processing. Buying a contact list does not transfer liability to the vendor. The purchasing organization is responsible for ensuring that data is used in compliance with applicable regulations.
That is where privacy officers can add direct value to go-to-market teams. "Privacy officers know your business top to bottom, and they know the privacy space," Dronen wrote. "What many organizations are failing to realize, though, is that these same qualities that make their data protection employees so valuable to internal compliance, also makes them a great resource for your go-to-market teams and can help bring more deals across the line faster."
Key personal data privacy laws and regulations
There is no comprehensive US federal privacy law. The United States operates a patchwork of sector-specific federal statutes and state-level regulations, which means organizations doing business across multiple states face a genuinely complex compliance landscape. Three frameworks are operationally significant for most B2B organizations.
Regulation | Jurisdiction | Scope | Key Rights Granted | Enforcement Body |
|---|---|---|---|---|
GDPR | European Union | Any organization processing personal data of EU residents, regardless of where the organization is based | Access, rectification, erasure, portability, objection, restriction of processing | Data Protection Authorities (per member state) + European Data Protection Board |
CCPA | California, USA | For-profit businesses meeting certain revenue or data volume thresholds that collect personal information of California residents | Know, delete, opt-out of sale, non-discrimination, correct, limit use of sensitive personal information | California Privacy Protection Agency (CPPA) |
HIPAA | USA (federal) | Covered entities and business associates handling protected health information | Access, amendment, accounting of disclosures, restrictions on certain uses | US Department of Health and Human Services, Office for Civil Rights |
A few things B2B organizations frequently underestimate:
The CCPA is unique in applying not only to consumer data but also to HR and B2B data contexts. Organizations that purchase or process B2B contact data for California residents have CCPA obligations they often do not account for in their compliance programs.
CPPA enforcement commenced March 29, 2024, and in September 2025 the CPPA approved new cybersecurity audit and risk assessment regulations. The enforcement posture is accelerating, not stabilizing.
California alone has enacted more than 25 state privacy and data security laws. Treating US privacy compliance as a single-framework problem is not a viable approach for any organization operating at scale.
Personal data privacy best practices for organizations and individuals
Strong personal data privacy programs require action at both the organizational and individual level. The following practices reflect what privacy officers, compliance teams, and individual users can do to reduce risk and build trust.
Organizational best practices:
Establish a legal basis for data collection before collecting. Under GDPR and most modern frameworks, collecting data without a lawful basis is a violation regardless of how securely the data is stored.
Maintain a data inventory and apply data minimization principles. Collect only what you need, retain it only as long as necessary, and document where it lives.
Make privacy notices clear and accessible. Notices buried in legalese or hidden behind cookie banners do not constitute meaningful transparency. Plain language and prominent placement are the standard.
Build a data subject rights response process. Organizations must be able to respond to access, correction, deletion, and portability requests within regulatory timelines.
Implement breach notification procedures with defined timelines. GDPR requires notification within 72 hours of discovery. Know your obligations before an incident occurs.
Individual best practices:
Review privacy settings on devices and apps regularly. Default settings often favor data collection over privacy.
Minimize data shared with third parties. The fewer parties that hold your data, the smaller your exposure surface.
Understand your opt-out rights under CCPA and GDPR. Both frameworks give individuals meaningful rights to limit how their data is used.
Use strong authentication on accounts holding sensitive data. Multi-factor authentication significantly reduces the risk of unauthorized access.
Monitor for data breach notifications. Services like HaveIBeenPwned can alert you when your credentials appear in known breach datasets.
As Dronen noted, privacy officers can also support sales teams directly: asking customers ahead of time what data privacy expectations their leaders have, offering to join customer calls to address specific compliance questions, and ensuring marketing creates content that clearly explains data collection practices. Web experiences should present opt-in and opt-out choices in a visually clear format, not as afterthoughts buried in banners or pop-ups. When brands make privacy an afterthought, customers notice.
How ZoomInfo approaches personal data privacy
ZoomInfo is an all-in-one AI GTM Platform built on the most comprehensive B2B data platform in the industry. The platform covers 500M contacts, 100M companies, 200M+ verified business emails, and 135M+ verified phone numbers, with multi-source verification and 300+ human researchers achieving up to 95% accuracy on first-party data. For go-to-market teams navigating complex privacy requirements, the quality of the underlying data is not a secondary concern: it is the foundation of compliant, effective outreach.
The GTM Context Graph is ZoomInfo's intelligence layer, processing 1.5B+ data points daily. It fuses B2B data with CRM signals, conversation intelligence, and behavioral data to surface not just what happened in an account, but why deals move. That reasoning layer is what separates a platform built for modern GTM from a static contact database.
Universal access means go-to-market teams can act on privacy-compliant data in any tool or workflow. GTM Workspace gives sellers an AI-native front end for prospecting and pipeline management. GTM Studio serves marketers, RevOps, and GTM engineers building audiences and orchestrating plays. APIs & MCP extend that same data and intelligence to any custom tool, AI agent, or workflow a team wants to build, including integrations with Claude, ChatGPT, and other AI environments.
ZoomInfo holds ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe GDPR/CCPA certifications. These credentials are not compliance checkboxes: they reflect a platform built with privacy-by-design principles from the ground up, which matters when enterprise IT and legal teams are evaluating vendors.
Ready to see how ZoomInfo handles data privacy at enterprise scale? Request a demo.
Frequently asked questions about personal data privacy
What are 5 examples of personal data?
Personal data includes any information that can identify an individual, directly or indirectly. Direct examples include full name, Social Security number, financial account details, health records, and biometric data such as fingerprints. Indirect examples include IP addresses, device IDs, job titles, and behavioral data like browsing history, these become personal data when combined with other available information.
What is the difference between data privacy and data protection?
Data privacy defines who has the right to access personal data and governs the rules around consent, transparency, and data subject rights. Data protection refers to the technical and organizational measures that enforce those access rights, including encryption, access controls, and breach detection. A company can have strong data protection controls and still fail on privacy if it lacks a lawful basis for collecting data in the first place.
What are the main personal data privacy laws?
The three most significant frameworks for B2B organizations are GDPR (European Union, applies to any organization processing EU residents' data), CCPA (California, uniquely applies to both consumer and B2B/HR data contexts), and HIPAA (US federal, governs health data). The US has no comprehensive federal privacy law, so organizations operating across multiple states must navigate a patchwork of state-level regulations. California alone has enacted more than 25 privacy and data security laws.
What is PII and how does it differ from general personal data?
PII (Personally Identifiable Information) is a US-regulatory term for data that can directly or indirectly identify a specific individual: names, Social Security numbers, email addresses, and IP addresses are common examples. "Personal data" is the broader term used in GDPR and most international frameworks, and it includes PII plus additional categories such as behavioral data, pseudonymized data, and special-category data (health, biometrics, religion). Pseudonymized data is still classified as personal data under GDPR; only truly anonymous data falls outside personal data definitions.
How should sales teams handle customer data privacy concerns?
Sales reps should proactively ask customers about their data privacy expectations before sharing or requesting sensitive information. Privacy officers can be brought into customer conversations to address specific compliance questions, a practice that builds trust and can accelerate deal cycles. Organizations should also ensure their marketing team creates content that clearly explains data collection practices, and that web experiences present opt-in and opt-out choices in a clear, accessible format rather than as afterthoughts. For teams using third-party B2B contact data, understanding how ZoomInfo collects data is a useful starting point for addressing customer compliance questions.