Most of our interactions with service providers involve disclosing some personal data, like name, address, phone number, or email. Is this data constitute personal data or personally identifiable information? How to protect it? How to correctly manage personally identifiable information that data controllers collect, use, store, sell or share.
What is Personally Identifiable Information (PII)?
There is no global definition of Personally Identifiable Information (PII), thus, definitions of PII can be different among different entities.
The basic definition says that Personally Identifiable Information (PII) is information that, on its own or combined with other data, can be used to identify, contact, or locate a single person, or to identify a person in context.
There are some examples of Personally Identifiable Information:
- full name, maiden name, or alias
- contact information, like home address, email address, or telephone number
- passport number
- driver’s license number
- Social Security Number
- online identifiers, like Internet Protocol (IP) addresses, cookie identifiers, or browser fingerprinting
- date and place of birth
- ethnicity, race, or religion
- photo of a face
- credit card number
- account username
- financial records
- medical or health records
- biometric data (e.g. fingerprints or DNA)
- online profiles and social media accounts
- employment information, employment applications, and background checks
- education information
- personally owned property, like vehicle registration number, house registration number, etc.
If it is possible to identify a person directly from the information a business is managing, then that information could be referred to as Personally Identifiable Information.
PII that can directly reveal a person’s identity, is referred to as sensitive Personally Identifiable Information. Information such as first and last name, race, sexual orientation, religion, medical information, financial information, employment information, biometric data, credit card number, criminal history, or information related to minors is considered sensitive PII.
Personally identifiable information is no longer personal when it is made anonymous, and a person could not be identified. But for data to be really anonymized, the anonymization must be irreversible. Data that has been encrypted, de-identified, or pseudonymized but could be used to re-identify a person still remains Personally Identifiable Information.
How do the GDPR and the CCPA Define PII?
Many data privacy laws around the world have their own definitions for PII. Despite that, in many cases Personally Identifiable Information covers the same type of information. The EU General Data Protection Regulation (GDPR) was the first data privacy law that enforced the protection of PII in 2018 and had influenced many other laws in the world. Similarly, The California Consumer Privacy Act (CCPA) was the first data privacy law in the US. At the moment, the GDPR and the CCPA are the two most important and popular data privacy laws in the world. Let’s see how these laws define PII.
PII under the GDPR
The GDPR defines personal data as “any information relating to an identified or identifiable natural person ( which is called “data subject”); such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Personal data under the GDPR mean information that directly or indirectly refers to individuals and can be used to identify them.
Publicly available personal data refers to data that is accessible to anyone in the general public, without the need for special qualifications, permissions, or privileges.
There are some differences between the ePrivacy Directive and the GDPR regarding publicly available personal data. ePrivacy Directive protects publicly available personal data electronic communication services or networks. The GDPR personal data does not cover any publicly available data.
PII under the CCPA
The California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The meaning of PII under the CCPA follows the definitions and precedents in US laws and could be broader than the definition of PII under the GDPR.
As in the case of the GDPR, PII under the CCPA does not consider publicly available information at state, federal, or local government levels as PII. Irreversibly anonymized information is also not considered PII.
Role of Cookies in Tracking and Collecting PII on the Internet
Cookies are small pieces of data that are stored on a user's computer or phone by a website. They are often used to track user's movements and actions on websites and to store information about the user, such as login information and preferences. Cookies can be used to track users' movements across different websites and to collect the PII of the user, such as the name, address, email, browsing history, bank account, and preferences.
How do cookies collect PII?
Cookies could track and identify users through unique identifiers stored in cookies.
Cookies can collect PII in several ways. One way is for the website to directly ask the user for their personal information, such as their name, address, and email address. This information is then stored in a cookie on the user's computer or phone.
Another way is for the website to track user's actions and movements on the website and to use this information to build up a profile of users. This profile might include information about the users' preferences, the pages they visit, and the links they click on.
Finally, cookies can also collect PII by tracking the users' movements across different websites. This is often done through Third-Party Cookies, which are placed on the user's computer by a website other than the one they are currently visiting. These cookies can be used to track the user's movements across different websites and to build up a detailed profile of their online activities.
Scan your website for free to see all your website cookies in use.
Risks of exposing PII through cookies
There are several risks associated with exposing PII through cookies:
- Targeted advertising, marketing purposes, and privacy invasion.
- Security vulnerabilities and the potential for data breaches. The users' information could be accessed by hackers who might use it for fraudulent purposes.
- Risk of identity theft. If a hacker is able to access a user's PII, he may be able to use it to impersonate the user and gain access to their accounts and personal information.
How to Protect and Manage PII?
PII management for entities
Collecting and storing PII comes with a lot of responsibilities for companies and organizations since leakage of PII could lead to breaches of data protection laws and loss of trust of users. Companies and organizations should follow these steps to protect the PII they store:
- Identify the PII. Conduct data mapping to find out the PII your business collects.
- Classify the PII. PII or sensitive PII should be handled differently.
- Get user consent before collecting PII. Even if you received consent once, allow your users to opt-out of it at any time.
- Limit the processing of PII. Collect, use or share PII only to what is necessary for fulfilling the initial purpose.
- Implement security measures to protect PII. Ensure that PII could not have unauthorized access, and could not be reached or hacked by third parties.
- Delete any PII when it is no longer necessary for the intended purpose.
- Conduct privacy impact assessments to understand if your business operations breach requirements of privacy regulations or put the PII at risk.
- Train your employees or partners about protecting PII.
- Convert PII to non-Personally Identifiable Information.
Non-Personally Identifiable Information
Non-Personally Identifiable Information is data about a person, that on its own cannot be used to identify a person.
Here are examples of non-Personally Identifiable Information:
- Data Pseudonymization.
- Data encryption.
- Aggregated statistics from the base of users.
Pseudonymization is performed by replacing any identified or identifiable information with artificial identifiers. After the data is pseudonymized, it becomes Non-Personally Identifiable Information.
One of the most commonly used methods of pseudonymization is IP address anonymization. IP anonymization sets the last digits of users' IP addresses to zeros, so the website user's IP address is made anonymous.
However, pseudonymization is limited. Even though pseudonymous data will not identify a person directly, they can be identified indirectly. Here are some examples of personal data that could be used to identify a user indirectly:
- An internet user name, used to post online or at discussion forums.
- Any social networking data, which contains a person’s friend list and login information.
- Internet user-generated data, such as internet searches, discussion forum posts, and personal data they input into their social networking profiles.
- Radio frequency identification (RFID) codes. RFID chips include an identifiable unique number, which individualizes any attached property and can thus be used to identify a person.
- Unique identification numbers on personal devices, like IP address, Mac addresses, Bluetooth numbers, IMEI numbers, or Near Field Communication numbers.
Data encryption works in a similar way to pseudonymization. It replaces unique identifiers with other data, and thus obscures personal data. But unlike pseudonymization, which allows any person who has legal access to the data to view part of the data, encryption only allows approved users to view the complete data.
Aggregated statistics group users into specific categories, for example by gender, employer, age range, etc.
How to protect PII and manage cookies for individuals?
If you are a website user and want to protect your PII, use the following steps to protect your PII on the internet:
- Use safe browsers and browser extensions to control cookie usage.
- Clear and delete cookies regularly.
- Limit the amount of PII shared online.
- Be cautious about sharing PII online or in person.
- Use strong, unique passwords for all accounts.
- Use security measures such as two-factor authentication.
- Keep physical copies of sensitive documents in a secure location.
Personally Identifiable Information (PII) is a valuable type of information that requires careful protection. The GDPR and the CCPA are the two most important and popular data privacy laws in the world that regulate what is PII and how it should be collected, stored, and processed.
Cookies play a significant role in the collection and use of PII on the internet. By understanding how cookies work and taking appropriate steps to protect their PII, users can maintain a higher level of privacy and security online.
By understanding the risks and taking appropriate precautions, website users can protect their PII and reduce the likelihood of identity theft, security vulnerabilities, and other crimes.
Frequently Asked Questions
What is personally identifiable information (PII)?
Personally Identifiable Information (PII) is information that, on its own or combined with other data, can be used to identify, contact, or locate a single person, or to identify a person in context.
What does Personally Identifiable Information (PII) include?
PII includes all types of information, that can be used to distinguish or track an individual, except publicly available and non-Personally Identifiable Information, such as anonymized, encrypted, or aggregated statistics data.
How do cookies collect PII?
Websites can ask users for their personal information directly, then this information will be stored in a cookie on the user's computer or phone. Websites can also track users' actions on the internet with the help of cookies and use this information to build up a profile of users. Cookies can also collect PII by tracking the users' movements across different websites. This is often done through Third-Party Cookies.
What are the risks of exposing PII through cookies?
How can I protect my PII and manage cookies on my web browser?
To protect your PII and manage cookies, use safe browsers and browser extensions to control cookie usage, clear and delete cookies regularly, limit the amount of PII shared online, be cautious about sharing PII online or in person, use strong, unique passwords for all accounts, use security measures such as two-factor authentication, and keep physical copies of sensitive documents in a secure location.
Can I completely opt out of cookie tracking?
There are strictly necessary cookies, that could not be opted out since the website would not function without them. Other cookies like performance, functionality, tracking, or targeting cookies could be opted out by changing browser settings.
How can I stay informed about the latest developments in online privacy and PII protection?
To be updated with the latest developments in online privacy and PII protection, read CookieScript blog or privacy laws.