As a follow up question from this question a person's name, age, address, parties affiliation are considered public data.
I'd like to ask then what is considered personal information?
So if there is a website breach of data i.e. on Facebook and the hackers get the information mentioned above, Facebook doesn't need to worry because this data is not considered personal information?
Note: Since this is state specific then what most of states agree on what is personal information.
Federal and state laws do protect a variety of different types of personal information in particular contexts, but there isn't really any information that is necessarily personal and protected from disclosure in all contexts.
For instance, the Health Insurance Portability and Accountability Act generally protects a person's health records from unnecessary disclosure, and the Federal Education Rights and Privacy Act generally protects a student's educational records from unneccessary disclosure.
But that doesn't mean that all of an American's health information is protected, or that all of the information that a hospital holds about an American is protected. The hospital can typically disclose the fact that it is treating a specific person, and if that person provides his health records to a government employer, that employer may be required to produce them in response to a request under the Ohio Public Records Act.
But Facebook isn't a health-care provider, so it isn't required to protect medical records, and it isn't a school, so it isn't required to protect educational records. At the federal level, I don't know of any privacy laws that require it to maintain the privacy of its users' information, though it may be required to do so under state laws, or as a contractual matter because of its privacy policy.
But that doesn't mean it has nothing to worry about. Like any business in the United States, it is prohibited from engaging in deceptive trade practices, so it can't make broad promises to protect users' privacy when it has no intention of honoring them. That's why it ended up paying $5 billion for privacy violations in the past and remains under court orders requiring it to better protect users' data.
Further, Facebook has users all over the world, so it is required to comply with the international privacy regulations like GDPR that can be far more stringent.
"Personal information" is not really the right concern, although some laws may use that expression (or similar expression like "individually identifiable health information"). Rather than trying to reduce the matter to an arbitrary and legally undefined category of "personal information", it would be more informative to inquire about information that can or cannot be legally disclosed.
First, there are statutory prohibitions – laws that prevent certain people from disclosing specific information without your consent. There are such law applying to health and educational records or financial information, which limit what information a health care provider can disclose – I'm not a health care provider, so I can legally disclose information about you that your doctor can't disclose. The flip side is that many states also have a legal requirement to publish personal information including home address of sex offenders.
Facebook has established a privacy policy which is part of their terms of service: it says what they can and cannot disclose about you. AFAIK they have no idea what your home address is, but that policy will tel you if they can disclose your address. If they don't grant themselves permission to disseminate your address yet they do so, they have to worry that you will sue them for breach of contract. If a hacker gets your information from their databases, they have a different worry, namely whether they will get sued for negligence. They disclaim liability: they
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT
to the extent allowed by law. At worst, they would owe you $100 for "letting" a hacker get your home address (which they don't have, anyhow), or your email address (which they do have). The negative consequences for Facebook come not from the fact of information being disclosed, but from the fact of blatant and repeated violation of their own policy, which the FTC deemed to be deceptive.
