Privacy Laws Raise the Question: Which Personal Data is Sensitive?

2022 is proving to be a critical year for data privacy in the US. With new data laws going into effect next year in California, Colorado, Virginia, and Utah, businesses are already preparing for an expected increase in regulatory enforcement.

While data privacy protection has been around for several decades — the EU’s Data Protection Directive was enacted in 1995 — every wave of new laws requires companies to refine their practices. And because almost every company collects or tracks some type of personal data, a key distinction for compliance leaders is what type of personal information is considered “sensitive personal data.”

Personal Data

Personal data is a relatively vague term and covers a wide range of information — from your name and address to what you watch on Netflix. There’s a lot of personal data that the average consumer may not realize is being collected. Some companies are simply interested in your browsing history, while others are tracking the way your mouse moves over a page. 

Privacy laws are designed to restrict how data is captured and stored, particularly personal data. Since the European Union’s General Data Protection Regulation (GDPR) has more stringent guidelines, we’ll use its definitions throughout this article.  

The GDPR defines personal data as any piece of information that relates to an identifiable and natural person (meaning a living, breathing human and not a company). If the person can be identified — either directly or indirectly — using the acquired information, it’s considered personal data. Different regulations use varying terms for personal data, including personal information and personally identifiable information (PII), but they all refer to the same thing. 

Here are some examples of personal data: 

  • Name and surname
  • Home address
  • Email address
  • Identification card number, like a driver’s license
  • Location data
  • IP address
  • Advertising identifier of a phone

Any of these pieces of information may not be able to identify an individual on its own. For instance, Bob Brown is a common name that wouldn’t necessarily lead you to any specific person. But Bob Brown accompanied with a street address gives you a better chance of pinpointing a specific individual. And certainly, some pieces of data can be an identifier on their own, like the business email:

Typically, organizations will collect and store several types of personal data in order to have enough information to correctly identify a person. But laws like the GDPR, and others in place across the US, require businesses to disclose data capture up front, explain what information they’re capturing, its intended use, and the length of time the business will keep the information. This helps protect people while still allowing organizations to gather essential consumer information. 

Read more: The B2B Guide to GDPR: Common Questions and Expert Answers

Sensitive Personal Data

Sensitive personal data is a whole different story. Health records, political affiliation, and images of individuals fall under this category. This type of personal information can still be collected by companies, but there are greater restrictions around how that data is captured and managed. 

The GDPR classifies sensitive personal data using the following categories:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Data related to a person’s sex life or sexual orientation
  • Biometric data, like fingerprints and facial images

As you can imagine, most companies don’t need this type of data. The GDPR has strict measures in place to ensure most companies can’t collect or access this information. 

What Kind of Data Does ZoomInfo Collect? 

At ZoomInfo, we collect information about companies and individuals in a business context, like a company web site or professional profile. This would include primarily public information, such as names, phone numbers, and work email addresses.

Simon McDougall, a former data privacy regulator in the UK, joined ZoomInfo in 2022 as our chief compliance officer. He notes that even though B2B data is inherently lower-risk data, ZoomInfo places a premium on being a privacy-first company — because it’s the right thing to do.  

“Data privacy is an integral part of our business, not an afterthought,” McDougall says. “We hold ourselves to the highest standard of data privacy compliance, not just for the sake of our company, but for our customers’ peace of mind as well.”

We’re market leaders in both the depth and scale of our privacy function, to ensure public trust and remain compliant with the strictest privacy laws and regulations. We’re committed to ensuring our customers feel confident in our practices of data collection. Valuing data privacy is an essential part of upholding customer trust. 

To read more about our privacy efforts, including how we source and update our data, visit our Privacy Center