Blog / Identity Theft

What is personal data, and how can you protect it?

Your personal information is constantly being collected, shared, and stored, often without you even realizing it. Whether you're concerned about data privacy or fraud or worried about becoming a victim of identity theft, the best defense starts with knowing what you're up against. In this guide, we’ll explain the definition of personal information, provide real-world examples, and list actionable steps to protect your online and offline data. 

Author image

Ugnė Zieniūtė

September 1, 2025

9 min read

What is personal information?

Personal information, also called personal data, is any detail that can be used to identify, locate, or contact a specific person. This data includes your name, phone number, physical address, email address, mailing address, and even details like your birthday and IP address. 

Different countries and global privacy laws define personal information in slightly different ways. In the United States, the term generally refers to any information linked to an individual, whether directly (like your full name) or indirectly (like a device identification number or cookie data). The legal definitions are even broader under the EU General Data Protection Regulation (GDPR).  The GDPR defines personal data as any information relating to an identifiable natural person (data subject). This information includes location data, social identity, biometric data, online behavior, and political beliefs.

Companies, websites, apps, and even government entities collect and process personal data daily. Sometimes it happens with your knowledge, but they can often gather your data without it. Once data collection happens, that information can be used to profile you.

Examples of personal information

Now that we’ve defined it, let’s look at what counts as personal information in practice. This category is broad and includes both obvious and less obvious identifiers. Generally, any information that can be tied to your identity, either directly or indirectly, is considered personal data. Below are the most common types of personal data:

  • Full name
  • Email address
  • Phone or mobile number
  • Home or mailing address
  • Date of birth
  • Driver’s license number
  • Social Security number
  • Social identity
  • Device identification number
  • Bank account and credit card details
  • Passport number and details
  • Online identifier
  • Online account usernames and passwords
  • Device IP addresses
  • Location data
  • Biometric data (like fingerprints or facial recognition)
  • Income and employment information
  • Proprietary business details
  • Health records or medical history

All this information can be used (either on its own or together) to identify or impersonate someone. That’s why it’s often targeted in data breaches, cyber extortion, and phishing attacks. To help draw the line, it’s also useful to know what’s not considered personal information:

  • Anonymized or grouped data that can’t be traced back to one specific person
  • Publicly available data categories, like a business’s address or general company contact number
  • Generic browsing behavior not linked to a particular consumer or device

Personal information (PI) vs. personally identifiable information (PII)

The terms personal information (PI) and personally identifiable information (PII) are often used interchangeably, but they aren’t the same. They do overlap, but not all personal data is considered personally identifiable.

PII refers specifically to data that can be used on its own to identify an individual. For example, your full name, Social Security number, or passport number can be directly linked to you because they’re unique.

PI, on the other hand, is a broader category that includes PII and data that may not identify you by itself but could pinpoint you when used together with other information For instance, browsing habits or geolocation are generally considered personal data, but they can become personally identifiable when paired with your email address or IP.

This distinction is especially important when dealing with data privacy laws and regulations. For example, the GDPR and the California Consumer Privacy Act (CCPA) use different definitions, and the type of data you collect or store determines your legal responsibilities. According to the GDPR, data stops becoming personal or private once it is anonymized.

Personal information vs. sensitive data

Similar to PII, not all sensitive data can pinpoint a specific person. Sensitive information goes a step further because it refers to information relating to you that, if exposed or misused, could cause significant harm or discrimination.

Personal information is broad and includes names, email addresses, and phone numbers — details that might seem harmless but still help identify you. On the other hand, sensitive information includes intimate details about a person’s identity, beliefs, health, or background. Let’s take a look at a brief overview.

This distinction matters because sensitive information is typically subject to stricter legal protections and security requirements under many data privacy laws, such as the GDPR, HIPAA, and other privacy frameworks.

For instance, the 23andMe data breach is a striking example of identity theft with far-reaching consequences. The genetic testing company needed to pay a settlement of $30 million after being sued when its data was compromised. The hackers specifically targeted people who were of Chinese and Ashkenazi Jewish descent. 

How does my information end up on the internet?

Most of the time, your information ends up on the internet passively, through everyday interactions with websites, apps, and services.  

  • Online forms and account sign-ups: Every time you fill out a form (whether to subscribe to a newsletter, download an ebook, or open an account), you’re entering personal and subjective data that is stored and often shared behind the scenes.
  • Social media activity: Posting photos, tagging locations, listing your job title, or revealing your birthday might seem harmless, but hackers or data brokers can piece these personal data points together to build a complete profile of you. 
  • Online shopping and payment portals: Your name, email, shipping address, and payment details are collected at checkout. Some platforms also track and store personal information, like your shopping behavior, device usage, and login habits. 
  • Cookies and trackers: Websites often use cookies to monitor your browsing behavior. They track one or more factors specific to your browsing behavior, like which pages you visit, how long you stay, and what you click. This data is often sold to advertisers or analytics companies.
  • Public records and data brokers: Sometimes your data is collected from government sources (like property records or court filings) and sold by third-party personal data brokers. These companies can compile massive databases of personal data and sell access to marketers, insurers, or even scammers.
  • Data breaches: If a company you’ve interacted with suffers a breach, your data could be leaked on the internet or even the dark web. Unfortunately, even the most reputable companies aren’t immune.

In many cases, your personal information is shared far beyond your control. Data collection might be buried in a privacy policy you never read or shared with third parties through partnerships you’re unaware of.   

Once your data is out there, it’s nearly impossible to get it back. However, you can still take steps to reduce your exposure and respond quickly if your data is compromised, protecting personal information as much as possible. To help you stay ahead, read our guide on how to check if someone is using your identity.

Is it possible to remove your personal information from the internet?

Removing your personal information from the internet is difficult but not impossible. While you may be unable to erase every trace of your personal information, you can take meaningful steps to limit exposure and minimize risk. For example, you can:

  1. Delete old accounts and profiles. Search for accounts you no longer use, such as those on social media, forums, shopping sites, or newsletters, and delete them. 
  2. Submit removal requests to data brokers. Companies like Spokeo, Whitepages, and PeopleFinders compile and sell personal data. Many are legally required to offer opt-out processes. You can submit requests manually or use a service like Incogni, which automates the process and contacts hundreds of brokers on your behalf.
  3. Set accounts to private. If deleting your accounts isn’t an option, change your privacy settings on your social platforms to limit how much information is publicly viewable.
  4. Ask websites directly. If your name or personal data appears on a blog or company site, contact the site owner and ask them to remove it. While not always guaranteed, many will comply and help you protect your personal information.
  5. Hire a professional service. Some services offer personal data removal from people-search sites for a fee. These services may be worthwhile if you’re high-risk or already dealing with identity misuse.

Is it possible to remove personal information from the dark web?

Unfortunately, removing personal information from the dark web is impossible. Once your details are exposed there, you can’t forcefully erase them. The dark web is decentralized and anonymous, making tracing or deleting specific data impossible. However, you can take steps to manage the damage.

The first and most important step is awareness. You need to know if your data has been compromised so you can respond quickly. NordProtect offers a dark web monitoring feature. It can constantly scan underground marketplaces and forums for leaked credentials tied to your identity, sending you instant alerts if your data shows up.

If your personal information has been found on the dark web, follow these steps:

  • Change affected passwords immediately.
  • Monitor your credit and bank accounts for suspicious activity.
  • Place a fraud alert or credit freeze.
  • Report the incident to the FTC at IdentityTheft.gov.

While you can’t undo the breach, fast action can stop a bad situation from getting worse. Taking appropriate security measures will also help you protect your sensitive personal data.

How can you protect your personal information?

While you can’t completely remove your digital footprint, you can make it harder for scammers and data harvesters to misuse your personal data. These practical tips can help you take back control of your privacy and protect your personal information:

  • Use strong, unique passwords for every account. Consider a password manager to keep track of them.
  • Enable two-factor authentication (2FA) wherever possible to add an extra layer of security beyond passwords.
  • Be familiar with legal definitions and the basics of data security.
  • Be cautious with public Wi-Fi. Avoid accessing banking or sensitive accounts on open networks without a VPN.
  • Limit what you share online, especially birthdates, addresses, or family connections that could be used to answer security questions.
  • Review your privacy settings on social media, apps, and online accounts regularly.
  • Monitor your credit file and public records for unfamiliar activity.
  • Use identity protection services like NordProtect.

NordProtect offers 24/7 dark web monitoring to detect leaked credentials, credit monitoring with immediate alerts, and security warnings so you can act before your data is misused. If your identity is compromised, it also offers up to $1 million in identity theft recovery coverage to help with eligible expenses like legal fees, lost wages, and document replacement (subject to a $100 deductible).

Author image
Ugnė Zieniūtė

Ugnė is a content manager focused on cybersecurity topics such as identity theft, online privacy, and fraud prevention. She works to make digital safety easy to understand and act on.

The credit scores provided are based on the VantageScore 3.0® credit score by TransUnion® model. Lenders use a variety of credit scores and may utilize a different scoring model from VantageScore 3.0® credit score to assess your creditworthiness.

You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.

No single product can fully prevent identity theft or monitor every single transaction.

Some features may require authentication and a valid Social Security Number to activate. To access credit reports, scores, and/or credit monitoring services (“Credit Monitoring Services”), you must successfully pass your identity authentication with TransUnion®, and your VantageScore 3.0® credit score file must contain sufficient credit history information. If either of these requirements is not met, you will not be able to access our Credit Monitoring Services. It may take a few days for credit monitoring to start after a successful enrollment.

NordProtect's dark web monitoring service scans various sources where users' compromised personal information is suspected of being published or leaked, with new sources added frequently. However, there is no guarantee that NordProtect will locate and monitor every possible site or directory where consumers' compromised personal information is leaked or published. Accordingly, we may not be able to notify you of all your personal information that may have been compromised.

Identity and cyber protection benefits are available to customers residing in the U.S., including U.S. territories and the District of Columbia, with the exception of residents of New York and Washington. Benefits under the Master Policy are issued and covered by HSB Specialty Insurance Company. You can find further details and exclusions in the summary of benefits.

Our identity theft restoration service is part of a comprehensive identity theft recovery package that offers a reimbursement of up to $1 million for identity recovery expenses. To access the support of an identity restoration case manager, you must file a claim with HSB, which NordProtect has partnered with to provide the coverage. HSB is a global specialty insurance company and one of the largest cyber insurance writers in the U.S.