Privacy laws across the world govern the collection, use and disclosure of Personally Identifiable Information, or PII for short. In general terms, PII is any information that could be used to identify a specific person. The most common examples of PII include name, email or phone number. What makes privacy law interesting (or difficult, depending on how you look at it) is the fact that each privacy law can define PII in slightly different ways. Some privacy laws use the terms personal information or personal data instead of PII. The definition of PII is an important consideration due to the fact that if you do not collect PII as defined by a particular lwe, then that law may not apply to you. In this blog, we will go see how the most popular privacy laws define Personally Identifiable Information.
How does the California Online Privacy Protection Act of 2003 (CalOPPA) define PII?
CalOPPA, which is a privacy law that protects the privacy rights of California residents defines PII as “individually identifiable information about an individual consumer collected online by the (website) operator from that individual and maintained by the (website) operator in an accessible form.” CalOPPA states that PII includes the following:
- A first and last name;
- A home or other physical address , including street name and name of a city or town;
- An email address;
- A telephone number;
- A social security number;
- Any other identifier that permits the physical or online contacting of a specific individual;
- Information concerning a user that the website collects online from the user and maintains in personally identifiable form in combination with any of the above.
How does the California Consumer Privacy Act (CCPA) define PII?
The CCPA is a more recent law that protects the privacy rights of California residents. The CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information include but are not limited to the following:
- Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
- Any characteristics of personal information described in Section 1798.80(e). This section states that the definition of personal information includes name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information or health insurance information.
- Characteristics of protected classifications under California or federal law. Characteristics of protected classifications under California law include race, color, religion, sex/gender, gender identity, gender expression, sexual orientation, marital status, medical condition, military or veteran status, national origin, ancestry, disability, genetic information, request for family care leave, request for leave for an employee’s own serious health condition, request for pregnancy disability leave, retaliation for reporting patient abuse in tax-supported institutions and age.
- Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consumer histories or tendencies;
- Biometric information, which is defined as an individual’s physiological, biological, or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or other identifying data, to establish individual identity. Biometric information includes but is not limited to imagery of the iris, retina, fingerprint, face, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait pattern or rhythms, and sleep, health or exercise data that contain identifying information;
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application or advertisement;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory or similar information;
- Education information, which is defined as information that is not publicly available PII as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99);
- Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
The CCPA is also helpful in the fact that it states what is not included in the definition of PII. The following types of information are not considered PII under the CCPA:
- Publicly available information, which is information that is lawfully made available from state, federal or local government records; and
- Consumer information that is deidentified or aggregate consumer information.
How does Nevada Revised Statutes Chapter 603A define PII?
Nevada Revised Statutes Chapter 603A is a privacy law that protects the privacy rights of residents of Nevada. This law defines personal information as a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
- Social security number;
- Driver’s license number or identification card number;
- Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
How does the General Data Protection Regulation (GDPR) define PII?
GDPR is a law that protects the privacy rights of residents of the European Union. This law defines personal data as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
How does the Personal Information Protection and Electronic Documents Act (PIPEDA) define PII?
PIPEDA is a law that protects the privacy rights of residents of Canada. Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form such as:
- Age, name, ID numbers, income, ethnic origin or blood type;
- Opinions, evaluations, comments, social status, or disciplinary actions; and
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, and intentions (e.g. intentions to acquire goods or services, or change jobs).
How does Australia Privacy Act 1988 define PII?
The Australia Privacy Act 1988 protects the privacy rights of residents of Australia and defines personal information as any information or opinion that could identify an individual. Some examples of personal information under this law include the following:
- An individual’s name, signature, address, phone number or date of birth;
- Sensitive information, which includes race or ethnic origin, political opinions or associations, religious or philosophical beliefs, trade union memberships or associations, sexual orientation or practices, criminal record, health or genetic information and some aspects of biometric information;
- Credit information;
- Employee record information;
- IP addresses;
- Voice print and facial recognition biometrics;
- Location information from a mobile device.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.