Personally identifiable information (PII) is defined differently under different laws, but overarchingly, it is data that identifies, describes or is otherwise associated with a unique individual.
Every time you stream a show, buy a product online, register for a newsletter, pay your bills, download a free app, or apply for a credit card, you give up data about yourself. Even without your knowledge, information about who you are, what you do, and what you like is compiled and analyzed behind the scenes for a variety of uses.
Personal information is a valuable asset that fuels much of today’s digital economy. It is at the heart of innovative technologies like AI, the subject of ongoing legislative reforms, and a seemingly never-ending string of public scandals and data breaches.
Data privacy is critically important for every business, and it’s not something to be taken lightly. According to Gartner, “By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today.” For business owners, it’s not just about the amount of data being collected and stored. There are many other common data privacy issues to be aware of.
The root of them will revolve around the kinds of PII your organization regularly utilizes.
What Is Personally Identifiable Information?
Your online presence and all the details that are (waves hands vaguely in the air) you, are what’s known as PII. Basically, it’s any type of information that can identify or be used to identify a specific individual. For example, the US government defines PII data meaning in the Code of Federal Regulations 2 CFR § 200.79 as:
“Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”
One of the unfortunate consequences of the rise of digitalism is that whenever you go online, pieces of yourself are caught up in the virtual web.
Think about every time you purchase or sign up for an activity online. At the very least, you’ll likely provide your home and billing address, contact information, and credit card details. Now, multiply that across countless websites, newsletters, signups, and social media platforms.
Although some of this information is publicly available, certain information is restricted. Regardless, whenever customers give their personal information, they’re entrusting businesses to safeguard it and only use it for business-related purposes.
Failure to do so could result in serious consequences, including fines, penalties, and reputational damage.
Sensitive PII vs Non-Sensitive PII
Data privacy commonly concerns a subset of PII called Sensitive Personal Information. (Defined as “special category” personal data in Europe). This is personal information that requires extra care.
Experian makes the following distinction between the two: “Sensitive data includes anything that has legal, contractual, or ethical requirements for restricted disclosure. Non-sensitive PII is information that is public record (in phone books and online directories, for instance).”
Admittedly, there is some gray area with certain types of information bleeding into either category, especially since non-sensitive data could feasibly be combined with sensitive data to perform identity theft.
How can you tell the difference?
You can distinguish one from the other by first checking whether a law provides a definition. As we cover below, many laws do and the definitions provide itemizations. If the concept is not explicitly defined, you will need to ask yourself whether the leak or loss of that information could result in significant personal embarrassment (e.g., health condition), personal safety risk (e.g., frequented location), or some other financial, reputational or emotional harm (e.g., consequenced from economic discrimination, identity theft etc).
If so, it’s sensitive PII and heightened technical and organizational protections are needed to ensure its lawful, safe and responsible use. As an example, this can mean severely limiting who in your organization has access to the data, setting policy to require a privacy impact assessment before the data can be used, and tightening contractual restrictions with service providers who may handle the data. It’s not just about sound security.
What Is Personally Identifiable Information (PII) in Privacy Law?
Modern privacy laws go beyond the traditional notion of real-world identifiability. The concepts of ‘personal’ and ‘identifiable’ have evolved with the Internet, the growth of the digital economy, and the proliferation of always-on, always-connected mobile devices. Modern legal definitions take into account online identifiers like cookies and IP addresses, and how they can be used to connect information about individuals — online and offline. Irrespective of your region or industry, you may be handling a range of data elements deemed ‘personal’. As well as specially regulated types of consumer data defined as ‘sensitive’.
Comprehensive and generally applicable data privacy laws like Europe’s GDPR and California’s CCPA (as amended by the CPRA) define standard and sensitive personal data. In turn, specialized laws like US HIPAA (healthcare sector) and US COPPA (children’s data) address particular consumer protection issues.
Whether broadly applicable or specific to certain kinds of data, these privacy regimes create obligations and requirements you need to manage against.
Let’s look at these four examples:
The General Data Protection Regulation (GDPR) is Europe’s flagship data privacy law that in 2016 redefined ‘PII’ for a modern, hyperconnected digital world.
The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’)”. In turn, a data subject is “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The definition includes unique online and mobile identifiers such as cookies and device MAC addresses; users’ online behaviors, habits, and interests that can be compiled and analyzed for business uses; communications and media contents; and inferred information about individuals — or their browsers and devices.
The GDPR also defines sensitive data. ‘Special category’, meaning sensitive personal data, is that which reveals and individual’s
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data or biometric data that uniquely identifies a natural person
- Health and ailment information
- Data concerning a natural person’s sex life or sexual orientation
The GDPR’s definitions set a global benchmark. The law redefines ‘PII’ for the digital economy by making it clear that what is ‘personal’ is contextual, and what is ‘identifiable’ is a down to technical capability.
The California Consumer Privacy Act (CCPA) is a recently enacted state law partially modeled after the GDPR. The CCPA borrows much from Europe’s concept of “personal data” to go beyond the traditional notion of ‘PII’. It also goes one step further in a way that is uniquely Californian: it brings households into the mix.
The CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
The definition goes on to list these and other identifiable ‘personal’ data elements:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Commercial information, including records of personal property
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Geolocation data
- Biometric and genetic information
The California Privacy Rights Act, a ballot initiative that expands the CCPA and brings California’s privacy regime closer to Europe’s, introduces the state’s own version of ‘special category’ data.
CPRA added a GDPR-style definion “sensitive personal information” to the CCPA. SPI is information that “reveals a consumer’s”:
- Social Security Number, driver’s license or another government-issued ID
- Financial account or payment card information when combined with authentication information
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership
- Communication contents (with some exceptions);
- Genetic and biometric information in a uniquely identifiable way;
- Health and ailment information
- Sex life or sexual orientation information
As a healthcare user you are likely to hear health information referred to as Protected Health Information or PHI, but what is considered PHI under HIPAA? And how does this relate to personal data (or ‘PII’)?
The US Health Insurance Portability and Accountability Act is a federal law that creates national standards for protecting sensitive patient health information. Organizations subject to HIPAA cannot disclose healthcare and medical insurance related information without the patient’s knowledge or authorization. Organizations are also required to follow the HIPAA Privacy Rule and the HIPAA Security Rule to ensure patient rights and data are protected.
So what is PHI? We can think of it as a specialized subset of personal information that specific kinds of organizations need to mind. Generally, if patient information is associated with one or more of the below identifiers, the resulting data sets are PHI.
HIPAA identifiers that make health information PHI are:
- Dates, except year
- Telephone numbers
- Geographic data
- FAX numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Health plan beneficiary numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses
- Full face photos and comparable images
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Any unique identifying number or code
Once again, context matters but with HIPAA the context is more prescribed.
The US Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under the age of 13 when they use child-directed websites, apps or platform services, including online and mobile games. COPPA creates obligations for businesses targeting websites, apps, games and services to children. Notably, children’s data cannot be collected, used or shared without prior parental consent.
COPPA defines children’s personal information as “individually identifiable information about an individual collected online, including:
- A first and last name
- A home or other physical address including street name and name of a city or town
- Online contact information as defined in this section
- A screen or user name where it functions in the same manner as online contact information, as defined in this section
- A telephone number
- A Social Security number
- A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. (e.g. customer ID, cookie, IP address, device ID etc)
- A photograph, video, or audio file where such file contains a child’s image or voice;
- Geolocation information sufficient to identify street name and name of a city or town; or
- Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.
Like protected health information, protected children’s information can be viewed as a subset of personal information (or ‘PII’ if you like).
What Qualifies as Personally Identifiable Information?
As we illustrated above different laws define the notion of ‘PII’ differently, but there are many similarities.
All in all, personal information concerns an identified or identifiable individual. This can be one discrete element or a combination of elements. Whether the person can be identified directly or indirectly is largely a question of context and technological ability.
DataGrail A Privacy Control Center for Your Business
To comply with the GDPR, CCPA and other privacy regulations, you need to first know what kinds of personal data you collect, store, share or otherwise use across your business.
Fortunately, there are powerful tools that make the complicated process of data mapping easy. At DataGrail, we offer a platform that is very easy to use and connects to over 1400 common systems. Our robust integration network negates the need to scour complicated contracts to figure out what personal data is processed, and avoids risky business practices like allowing access to user email inboxes.
DataGrail helps you build an understanding of your personal data (PD/PI/PII) processing ecosystem, so that you could conduct more transparent, accountable business.
If you want to gain control of your data, automate data subject requests, and enjoy a privacy solution that scales with your business, request a demo today.
Intersoft: General Data Protection Regulation
HIPAA Journal: What is Considered PHI Under HIPAA?
Federal Trade Commission: Kid’s Privacy (“COPPA”)
CalPrivacy: Californians for Privacy Rights Act
Office of the California Attorney General. California Consumer Privacy Act (CCPA).