What Constitutes Personally Identifiable Information or PII?
If you’re trying to protect something, it’s important to understand exactly what it is you’re trying to protect.
This is true of personally identifiable information or PII.
PII is any data that can be used to identify a person. It’s the personal information we’re trying to protect with data privacy and cybersafety technologies, because it’s so valuable to data brokers and bad actors everywhere.
In the US, the National Institute of Standards and Technology (NIST) defines PII as: “… any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
The NIST clarifies the key concepts: “To distinguish an individual is to identify an individual … To trace an individual is to process sufficient information to make a determination about a specific aspect of an individual’s activities or status.” Linked information is information that is logically associated with other information about the individual, while linkable information is information that can possibly be logically associated with other information about the individual.
Examples of PII are:
- name, such as full name, maiden name, mother‘s maiden name, or alias
- personal identification number, such as social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number
- address information, such as street address or email address
- asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other [device]-specific persistent static identifier that consistently links to a particular person or small, well defined group of people
- telephone numbers, including mobile, business, and personal numbers
- personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
- information identifying personally owned property, such as vehicle registration number or title number and related information
- information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
The NIST definition is useful for a consumer trying to understand data privacy risks and protections. It explains the types of personal data that must be protected because it’s the highly sensitive information that web applications may collect, store indefinitely, and/or sell to other organizations. It’s also the information that can be exposed through a data breach.
But organizations looking to comply with data privacy laws and regulations must understand PII far beyond any general definition of the concept. Compliance with specific regulations depends on how the personal information in scope in each of those regulations is defined.
Terms and definitions vary. Some laws or regulations use the term PII, while others, such as the European Union’s General Data Protection Regulation (GDPR), which applies to any organization in the world that targets or collects data on people in the EU, uses “personal data”. The GDPR defines personal data as: “… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The California Consumer Privacy Act (CCPA) takes a slightly narrower view of what constitutes personal information than the GDPR, but changes due this year are expected to broaden the scope. Presently the CCPA defines personal information as:
- identifiers such as a real name, alias, postal address, unique personal identifier, online identifier IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
- characteristics of protected classifications under California or federal law
- commercial information including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies
- biometric information
- internet or other electronic network activity information including, but not limited to, browsing history, search history and information regarding a consumer’s interaction with a website, application or advertisement
- geolocation data
- audio, electronic, visual, thermal, olfactory or similar information
- professional or employment-related information
- education information, defined as information that is not publicly available personally identifiable information (PII) as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
A company can have obligations under both the CCPA and the GDPR, in addition to obligations under other laws and regulations depending on where the company is located or does business.
So, what does all this tell us? As consumers, it highlights how much we all have at stake given the vast range of data points that can be collected and correlated about us. For businesses, it highlights the sheer weight of responsibility to get compliance right across various (and varying) regulations, especially given regulators are struggling to keep up with the demands of the GDPR. Data management is a growing headache for enterprise.
But as the NIST points out: ‘The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores.’
This is exactly why at Anonyome Labs, we offer data minimization solutions for enterprises and consumers. Our platform-based offering gives businesses an easy way to engage without collecting, managing, and risking their users’ personal data. See what we offer.