What is PII? An Intro to Personally Identifiable Information
Privacy professionals often refer to the information covered by privacy laws as PII, short for personally identifiable information. However, for businesses preparing for the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), it can be a daunting task to try to figure out what is covered, and what is not, within the scope of the privacy laws. To make it more difficult, the GDPR refers to personal data and the CCPA refers instead to personal information. In some circumstances, whether information is PII may even be a judgment call.
Let’s start with a basic definition of Personally Identifiable Information (PII). The Federal Trade Commission considers data personally identifiable when it can be reasonably linked to a particular person, computer or device. Under this definition, certain information is clearly within the scope, such as an individual’s full name and their social security number.
Instead of PII, GDPR covers personal data. Personal data is defined in Article 4 as any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The CCPA refers instead to personal information. Personal Information is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA provides a non-exclusive list of eleven categories of personal information.
Businesses need to carefully follow the statutory language and the interpretation of each law in order to determine what is PII. Fore example, the GLBA regulates Nonpublic Personal Information but imposes a slightly different definition. Nonpublic Personal Information is information not publicly available and provided by a consumer to a financial institution to obtain a financial product or service from the institution; resulting from a transaction between the consumer and the institution involving a financial product or service; or a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.
One of the more controversial areas within the past few years has been when, or if, an IP address is considered PII. In 2016, the Court of Justice of the European Union held that IP addresses are personal data in certain circumstances. The ECJ determined that if a website has the means to track a person (whether by gathering information from a cookie or the ISP) with a dynamic IP address, then the IP address is personal data. Recital 30 of GDPR continued support for the classification of an IP address as a online identifier that may be associated with a natural person.
The United Kingdom Information Commissioner’s Office has published guidance on its website about when an individual is directly or indirectly identifiable. Even if additional information is needed to identify someone from the information held, that information could be considered personal data under GDPR.
The CCPA now also includes “Internet Protocol address” within the category of identifiers similar to real name, email address, and social security number. The inclusion of IP address in the list of the categories of personal information has been widely considered as sufficient to create a bright-line rule for businesses attempting to comply with the law that it should be included within the scope of personal information. However, the chair of Californians for Consumer Privacy, has on several occasions argued that IP address collection alone in server logs is not sufficient to be consider personal information. So there is some possibility that when an IP address should be considered personal information (particularly for the threshold question of whether a business has sufficient personal information to be covered by the law) will need to be clarified by the California Attorney General.
One step that businesses can take in order to avoid the scope of the privacy laws with respect to certain information is to aggregate or anonymize the data. The CCPA, for example, does not apply to aggregate consumer information where the individual consumer identities have been removed from a group or category of consumers.
However, the challenges of deidentified data have been widely discussed. Too frequently, the introduction of another data set can be combined with the deidentified data to quickly reidentify it. Organizations that wish to rely on this strategy to avoid taking certain actions with respect to their data need to be very careful to ensure that they are not still in possession of data that is, in fact, within the definition of personal information.
Classification of data as PII can be a tricky subject that requires the help of a professional and careful analysis of the privacy laws of concern. For businesses that are attempting GDPR and CCPA compliance, the application of a broad definition may be the safest approach to ward against a potential government inquiry.
For help with automated software solutions for your privacy program, call Clarip to schedule a demo of our privacy software for CCPA and GDPR at 1-888-252-5653.