A Guide to Personally Identifiable Information (PII)
As technology evolves, the way businesses operate, governments regulate, and individuals communicate have all changed. Digital tools such as cell phones, the Internet, e-commerce, facial recognition systems to unlock devices and social media have increased the availability of all types of data, including the most sensitive of all data: social security numbers, medical history and information, browsing history, shopping preferences, and even darker and more private personal information. Everything you do online leaves a trace.
Data is continually being created that can be traced back to you, regardless of what kind of gadget you're using. In addition, personally identifiable information (PII) is frequently created without your consent. This guide will help you understand what personally identifiable information is, how it is used, the different types, PII under the GDPR and examples of class action lawsuits.
What is Personally Identifiable Information (PII)?
Personal data must be acquired, stored, and destroyed in accordance with compliance requirements and rules in many regions of the world. The collecting and processing of massive amounts of data has made PII a much greater component of personal privacy as corporations may be held accountable if such information is improperly accessed, utilized, or revealed.
Personally identifiable information, or PII, is any information that may be used to identify an individual directly or indirectly. It consists of data that, on its own or in combination with other data, can be used to tell a person's identity. PII includes sensitive and non-sensitive data, including a person's name, phone number, address, email address, birth date, and Social Security, credit card, and bank account numbers. PII gathered from other sources may also comprise anonymous identifiers and behavioral data, such as handwriting, fingerprints, and pictures of the data subject.
Different Types of Personally Identifiable Information
PII can be categorized into two; sensitive and non-sensitive:
• Sensitive PII
Sensitive data is information that could be damaging to an individual if lost or stolen, for example, banking accounts, tax information, employee personnel records, credit and debit card numbers, passport information, email addresses, Internet account numbers, passwords, and biometric data. This type of sensitive information is mandated to limited exposure by different laws, contracts, or ethics requirements. Hackers want this sensitive information, but they can't access it legally. As one might imagine, restricted data is frequently protected by the most extreme security processes.
• Non-Sensitive PII
Non-sensitive PII is information that can be sent unencrypted without causing harm to the recipient. One can easily get this data from public documents, phone books, company directories, and websites. This kind of data can be freely distributed, and it includes date of birth, residence, religion, ethnicity, sexual orientation, IP addresses, and business and personal phone numbers. Non-sensitive information can be linked, even if it isn't delicate. Using that strategy, when non-sensitive PII is paired with other personal linkable data, it can be used to reveal a person's identity.
• Genetic or Biometric Information
What is the Genetic Information Protection Act? We can also consider PII to be an individual's biometric or genetic information, according to certain interpretations of the Illinois GIPA laws. GIPA, or the Genetic Information Protection Act, is an Illinois law that seeks to protect genetic information of Illinoisians. The protection is provided for individuals' privacy and non-discrimination based on their "genetic" information, as defined by HIPAA.
Generally, the law does not allow employers to make decisions based on certain HIPAA defined "genetic" factors such as RNA, DNA, proteins, chromosomes, metabolites, mutations, or chromosomal changes. It also prohibits the release of some of this private information to anyone other than the person being genetically tested. This is similar to how personally identifiable information is protected.
What is Personal Data Under the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) of the European Union establishes how businesses must handle Personally Identifiable Information. It defines PII and discusses how to store, secure, and delete it. The GDPR checklist allows businesses to determine if they are following the rules when it comes to PII handling. Because the Regulation applies to all websites that draw European visitors, all sites must follow it, even if they do not specifically offer products or services to EU residents.
Even if you don't conduct business with the EU, global security standards will undoubtedly be impacted in the future. As a result, companies doing business in the EU or handling data subject to the GDPR are hurrying to meet the deadline. This entails ensuring that PII is stored securely and that security teams have access to appropriate reporting channels. The GDPR does not specify any precise data protection controls that an organization must follow. Each firm has complete control over the security standards, confidentiality, and risk that it requires for its data.
Individuals have rights under the GDPR to control their personal data and how it is used, such as having their data erased, objecting to processing, or having their data moved electronically. They must also be informed of any automated decision-making system outlined in the company's privacy notice. They will also be able to object to the automated decision making, forcing businesses to provide a non-automated alternative.
The Pandora Media Case
In Yunker v. Pandora Media, Inc., a federal court in California determined that a reduction in the value of PII as a result of unlawful sharing is inadequate to prove a claim. Yunker's investigation focused on the Pandora App. The Pandora Company obtained PII such as users' age, gender, location, and universally unique device identifier when they downloaded the App. In addition, the Pandora App includes a few of advertising libraries. As consumers browsed the App, these advertising libraries ran in the background.
The plaintiff's dilution hypothesis, on the other hand, was dismissed by the court. The court reasoned that the plaintiff's case failed to prove that the company attempted to sell his PII, that it would do so in the future, or prevented it from doing so by Pandora's activities.
Facebook Inc Cambridge Analytica Case
In early 2018, Facebook Inc., now rebranded to Meta, was rocked by a massive data leak. A third-party corporation, Cambridge Analytica, fraudulently obtained the information of 30 million Facebook users. Through a University of Cambridge researcher, who designed the personality assessment Facebook app, Cambridge Analytica received data from Facebook. The App was intended to collect data from users who agreed to let the quiz access their personal information. Unfortunately, the data of around 50 million Facebook users was shared without their permission. Facebook was forced to pay $3 billion in legal fees as a result.
What's not Considered Personally identifiable information (PII)?
Non-personally identifiable information (non-PII) is information that cannot be used to monitor or identify a specific individual. The company you work for, shared data, and anonymized data are examples of non-personal data. Personal information is not classified as PII.
Stay Up To Date
Look for Class Action Settlements related to leaks of personally identifiable and secure information, data breaches, and other class actions by getting notified of new ones as they come by subscribing to the monthly OCA newsletter to receive updates here: