Understanding Personally Identifiable Information, or PII

In this data-driven information age, any organization that is handling customer data must be acutely aware of the collection, use and retention of data that can be “personally identified”. Personally identifiable data is the main focus of most privacy laws and regulations. Legal implications can be significant if identifiable data is misused or exposed during the data breach. Advances in technology have made the scope of “identifiable data” much boarder, thereby increasing the risks associated with it. Businesses operating globally must be well aware of the definition of personal information because it varies from country to country. Here, in the US, states have widely varying definition of “personal information” and these definitions are constantly changing as a result of advances in data collection technologies. These newer technologies, most of which are mobile can make the seemingly anonymous aggregate data easily identifiable. This ever changing regulatory environment adds to the complexity of the overall issue.

Understanding the Definition
In the United States the term “PII” is widely used – which stands for personally identifiable information. In the EU, this is referred as “personal data”. The term “Data Subject” is also widely used to describe the person whose information is being in question.

The European Commission defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” This quite broad definition or personal information is relevant to all businesses who’s customers are from the European Union.

According to Baker and Hostetler, one of the major law firms in the country that specializes in privacy law, the main definition of personal information that applies to all states is “an individual’s first name or first initial and last name plus one or more of the following data elements:

• Social security number
• Driver’s license number or state issued ID card number
• Account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access account
• Computerized data that includes personal information.

In its Data Breach Charts Baker and Hostetler reveals that many states have even broader definitions of PII. States also have different requirements for the data breach notifications. For example, in addition to the above described personally identifiable information definition, the state of California considers “a user name or email address, in combination with a password or security question and answer that would permit access to an online account; information or data collected through the use or operation of an automated license plate recognition system; medical information and health insurance information” as a personally identifiable information.
In the recent article, privacy professionals Emily Tabatabai and Shea Leitch write that California’s initial data breach notification legislation is now passed in 47 states and more than half of these states have a much broader definition of personal information than the original California definition.

The Children’s Online Privacy Protection Act (COPPA) enacted by congress in 1998 defines personally identifiable information as

• A first and last name;
• A home or other physical address including street name and name of a city or town;
• Online contact information as defined in this section;
• A screen or user name where it functions in the same manner as online contact information, as defined in this section;
• A telephone number;
• A Social Security number;
• A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier;
• A photograph, video, or audio file where such file contains a child’s image or voice;
• Geolocation information sufficient to identify street name and name of a city or town; or
• Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

This definition of personally identifiable information has clearly a much broader scope that the traditional definition and includes data collected via persistent identifiers, cookies and other technological means. Jessica Rich, the Director of FTC Bureau of Consumer Protection noted that FTC “regard[s] data as “personally identifiable,” and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

While COPPA might be relevant only to the companies that collect personal information of children under the age 13, in the light of recently enacted EU privacy regulations it is wise to apply the broader definition of personally identifiable information to the enterprise data collection practices. Anonymous data collected via technology becomes identifiable if that data is connected to the personally identifiable information. Enterprises should be aware of the types of data they are collecting at any given time and apply the broadest possible definition of identifiable data to their data collection practices in order to avoid legal obligations down the road. In the recently released 2016 Global Data Protection Enforcement Report, global law firm Baker & McKanzie emphasize the importance of understanding data enforcement laws and having greater compliance controls for multinational corporations due to heavy costs of non-compliance. A clear, broad definition of what is personal information (or personal data, personal identifiable information) is a strong foundation on which data collection practices should be built.