Practically, for most website owners, this translates to any data that could potentially identify a specific individual. This includes:
Names and Addresses
Financial Information (PIFI)
Unique Identifiers (like a passport or social security numbers)
Biometric elements (facial recognition, fingerprint)
A person’s location, occupation, gender, etc.
It's important to note that the GDPR and CCPA deal with the total sum of information saved on users. So while a data-set in itself might not be enough to identify users, it would still be considered personal data if it could be used to do so when combined with another data-set.
A good example of this is a list of first names. It would not be a breach of GDPR and CCPA to create such a list, maybe to identify the most popular first name of your users. You wouldn't be able to identify any individual from a list saying 'John, Jane, Mike'. But if you combined this list with any other values, such as surnames, emails or similar, it might be enough to identify an individual. And that would be a breach.
GDPR and CCPA are in most aspects similar. If you have any questions on GDPR, try looking over our Frequently Asked Questions on GDPR.
You're also welcome to contact us at firstname.lastname@example.org if you have any questions.