All five define personal information as data linkable to an individual, going beyond breach-notification definitions. California uniquely includes household and employment data. Common exclusions: deidentified data, publicly available data, aggregate data, employee data, and federally regulated data.
In all five states, personal information means data that can be associated or linked with a particular individual - broader than the narrow definition in breach-notification laws. California uniquely extends it to the consumer's household and is the only state to include employment data.
Exclusions from personal information
Exclusion
Which states
Deidentified data
All five
Publicly available information
All five
Federally regulated data (HIPAA, GLBA, FCRA, DPPA)
All five (generally)
Aggregate data
California, Utah, Virginia (explicitly)
Employee/employment data
Connecticut, Utah, Virginia exclude it; Colorado limits it to employment records
⚠️ Aggregate data is not universal
While deidentified and publicly available data are excluded by all five, aggregate data is explicitly excluded only by California, Utah, and Virginia. Don't assume all exclusions are uniform.
Key terms - quick answers
What is “Personal information”?
Any data that can be associated or linked with a particular individual; California also covers household and employment data.
What is “Deidentified data”?
Data that cannot reasonably be associated or linked with a particular individual; excluded by all five states.
What is “Publicly available information”?
Information lawfully made available by federal, state, or local governments; excluded by all five states.
What is “Aggregate data”?
Information about a group of consumers with individual identities removed so it is not reasonably linkable to a consumer; explicitly excluded by California, Utah, and Virginia.