What is personally identifiable information (PII)?
Broadly speaking, personally identifiable information (“PII”) is any data or information that can be used to link to, or potentially identify, a specific individual, whether directly or indirectly.
As mentioned above, the US privacy landscape is governed by sectoral federal and state laws, as well as some comprehensive state laws. The lifecycle of particular PII may be governed by many regulations simultaneously. Each regulation establishes its applicability, its scope, and, amongst other things, its definition of PII.
If that sounds like a tricky minefield to navigate, it’s because it is.
For example, one of the most impactful privacy regulations to govern the financial industry is the Gramm-Leach Bliley Act (“GLBA”). In the GLBA, the applicable PII is referred to as “Nonpublic Personal Information” (“NPPI”). NPPI is defined as “personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.”
The recently-enacted California Consumer Privacy Action (“CCPA”), a comprehensive state law, refers to the concept of PII as “Personal Information.” The CCPA goes on to define Personal Information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Although the GLBA and CCPA represent only a fraction of the current privacy regulations in the US, these two regulations highlight the differences in terminology used to define PII.
Which PII definition to use
The applicable definition of PII should be determined by the method of, and the reason for, its collection. Take, for example, Jane Doe, a California resident:
Jane’s email address is listed in her LinkedIn profile so that prospective employers can contact her. In this capacity, Jane’s email would likely be categorized, amongst other things, as Personal Information under the CCPA.
Later, Jane lists her email address, the exact same email address, in her application for a personal loan with a financial institution. Despite the fact that Jane’s email address can be found easily via her LinkedIn profile, her email address as listed in the application is now also NPPI under the GLBA. Why? Because her email address is PII that she provided to her financial institution via a confidential application for credit. As such, Jane’s financial institution is now charged with all the responsibilities associated with NPPI, as conferred by the GLBA.
In the end, the same PII could be covered by multiple rules and regulations.