Practically, for most website owners, this translates to any data that could potentially identify a specific individual. This may include but is not limited to:
Names and Addresses
IP Addresses
Email Address
Financial Information (PIFI)
Unique Identifiers (like a passport or social security numbers)
Medical information
Biometric elements (facial recognition, fingerprint)
A person’s location, occupation, gender, etc.
It's important to note that the GDPR, CCPA, and VCDPA deal with the total sum of information saved on users. So while a data-set in itself might not be enough to identify users, it would still be considered personal data if it could be used to do so when combined with another data-set.
A good example of this is a list of first names. It would not be a breach of GDPR, CCPA, or, VCDPA to create such a list, maybe to identify the most popular first name of your users. You wouldn't be able to identify any individual from a list saying 'John, Jane, Mike'. But if you combined this list with any other values, such as surnames, emails or similar, it might be enough to identify an individual. And that would be a breach.
GDPR , CCPA, and VCDPA are in most aspects very similar. If you have any questions on GDPR, try looking over our Frequently Asked Questions on GDPR.
Data that could potentially be used to identify an individual should never be pushed to nor captured by Mouseflow. To prevent Mouseflow from displaying and/or capturing personal data in Heatmaps and Session Replays, you can use our Visual Privacy Tool to exclude elements that contain it. Here is our article on using the Visual Privacy Tool.
Please note the current version of Mouseflow does not collect and store the visitor's IP address, and cannot be configured to do so.
You're also welcome to contact us at support@mouseflow.com if you have any questions.