There has been a lot said recently about data privacy and personally identifiable information (PII), but to understand what all the fuss is about, you have to know what PII really is.
Earlier this year, the institution of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA) ensured that talk of PII dominated the headlines and had businesses scrambling to better understand what it is, when they collect it, and how they use it.
The ever-changing world of internet privacy and data practices is evolving, and businesses and consumers alike are changing the way they look at personal information. It’s now more important than ever for businesses to understand what PII is and how they can use it.
1. What is PII?
Personally identifiable information, or PII, is any piece of data that can be used on its own or in conjunction with another piece of information to identify a physical person.
Put simply, if you can use a piece of information to identify an individual, that information is considered PII. Think of it like a puzzle – even if you can’t make out the picture with one piece, that piece can be used along with others to form the complete image. The same concept applies to personal information.
When auditing your site for PII collection, be sure to consider pseudonymous data. This is data which, by itself, cannot be used to identify an individual. However, when coupled with other data, it can be used to identify a physical person.
Whether data is legally considered PII or not depends on the country in which you’re located and your own nationality, as the definition of PII varies from region to region. Some data commonly considered to be PII are:
- Social security numbers
- Driver’s license or ID numbers
- Phone numbers
- Medical records
- Biometric data
- Birth locations
- License plate numbers
While this is just a basic list, be aware that the definition of PII can change as laws and regulations catch up to today’s digital reality. For example, as of May 25, 2018 — with the enactment of the GDPR in Europe — an IP address is now considered PII.
Special consideration should be taken when collecting PII that the GDPR defines as “sensitive” – which includes information such as an individual’s race, ethnicity, sexuality, political beliefs, biometric or genetic data, and trade union membership.
2. Do You Collect Personally Identifiable Information?
Now that you know what PII is, you need to determine whether your business collects, stores, and uses it. Of course, signup forms and checkout processes are obvious sources of data collection, but it’s possible that you – or the third-party services you use – collect even more PII than you realize.
When scouring your website for all the places and ways in which you collect PII, there are a few key areas to keep mind:
- Direct collection through forms: Signup forms are the most obvious culprits for data collection, as users are prompted to manually enter their own information. Any form or data field in which users can enter their information is likely to gather and store PII. Depending on how your website and servers are set up, you may be collecting this data regardless of whether or not the user submits it.
- Analytics tools: Website analytics are integral to the continued and growing success of any online business. Analytics tools like Google Analytics and Crazy Egg make it easy to better understand user intent and behavior. While these types of solutions tend to look at aggregate data – as opposed to individual users – when they create reports, they may still collect user information such as geographic locations and IP addresses.
- Geotargeting: Geotargeting technology may collect a user’s exact location based off a person’s unique mobile device, or obtain a broader location, such as their city or state. This information can be used to serve up more relevant content to the user, but if the data collected is coupled with another piece of data, it could be used to identify a physical person.
- Point of Sale systems (POS): Modern POS systems are often digital and are seen at the checkout page of an ecommerce or SaaS website. These systems collect customer information such as names, telephone numbers, and email addresses. POS solutions will also have access to credit card data and other payment information.
- Customer relationship management software (CRM): GDPR CRM compliance can be an invaluable tool for any burgeoning online business, as it helps to develop a closer relationship between you and your users. Your sales and marketing teams – or whoever runs your CRM – will collect and store information on potential and current customers through a CRM.
- Customer support: Whenever a user contacts you or your customer support team, you will most likely get their email address or phone number, their name, and sometimes personal address and more. Many businesses employ contact center software to store this information and keep it on file.
While this list is fairly comprehensive, it’s by no means exhaustive. You’ll need to spend some time with your IT department – or on your own if necessary – to determine each and every way you might collect PII.
If you haven’t already done so, performing a data audit should be at the top of your to-do list. Take time to map out the trajectory of the data you collect – making note of where it’s collected, how it’s stored, and how it may be shared.
As you’ll find in the next section, not accounting for even a single data collection point could put your entire business at risk.
3. Does Collecting PII Put Your Business at Risk?
Regarding the regulations that pertain specifically to PII, the three areas you typically need to address are collection, consent, and handling.
While new laws and regulations are due to be enacted in the near future — such as the ePrivacy Regulation — there are currently three prominent regulations that can have huge financial impacts on your business as a result of your information practices.
Most likely coming into effect in 2020, the ePrivacy Regulation will replace the ePrivacy Directive (EU Cookie Law) and expand upon the GDPR’s stringent guidelines for the handling of PII.
The General Data Protection Regulation became enforceable in May of 2018, and applies to any business that’s located in the European Union (EU) or collects PII from data subjects of the EU — even if you aren’t an EU-based business (this means there are GDPR Requirements for US companies that collect PII from EU data subjects).
Although GDPR compliance is a complicated process which spans several disciplines, in order to comply with this regulation with regards to data collection, you need to establish a lawful basis (e.g., GDPR consent, provision of contract, or legitimate interest) for each data collection point before any data is collected.
Data handlers (that’s you) must protect this information against unauthorized usage during its storage and management, and PII owners (your users) must be provided with the option to review the information you have about them and request deletion of that data.
For a full introduction to all the key concepts and requirements of the GDPR, check out our essential What is GDPR? guide.
One of the best ways to allow users to exercise their data-control rights is by offering a Data Subject Access Request (DSAR) form, which gives users the opportunity to request to access, edit, transfer, or delete their data.
Additionally, in the event of a data breach, you have 72 hours to notify the appropriate authorities of the breach.
Failure to adhere to GDPR requirements could result in fines of up to 20 million euros, or four percent of your business’s annual global revenue.
California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) was passed into law in 2018 and is set to become enforceable on January 1, 2020. It is considered to be one of the strictest privacy laws in the history of the United States, and will pertain to any business that is located in the State of California or serves California-based users.
Further, the new law will grant users the right to refuse the sale of their personal information to third parties. It will also require that minors under the age of 16 be opted-out of the sale of their information by default. This means that users under 16 would have to actively opt in to the sale of their PII before the business could leverage it for financial gain.
Intentional violations of the CCPA carry fines of up to $7,500 per violation, and unintentional non-compliance will cost $2,500 per violation. Fortunately, you will be able to avoid the latter fine as long as you resolve the issue within 30 days of the citation.
To learn more about how to comply, why you need to, and what failing to do so could cost you, read our post about the ins and outs of the CCPA.
Although businesses have until 2020 to put the necessary systems in place to achieve compliance with the CCPA, the process will be complex, and needs to be considered thoughtfully.
California Online Privacy Protection Act
The California Online Privacy Protection Act (CalOPPA) was originally passed into law in 2004, and received further updates in 2013. Like the CCPA, CalOPPA pertains to any business that is located in California or serves Californian users.
Failure to comply with CalOPPA will land you fines to the tune of $2,500 per violation — meaning per user whose PII was collected. Even a modestly-sized site that receives only a 100 users a week could accrue fines of over a quarter of a million dollars!
PII can be a tricky subject to tackle — especially as more countries and states start to implement online privacy and data protection laws. Regulations are catching up to a data-centric world, and that can necessitate major changes in the way that you operate, and the systems you use to work with information.
And while privacy laws are inherently complicated, with many different facets pertaining to different situations and types of data collection, the underlying goal is clear: transparency. The world of data is moving far away from the Wild West it once was, and toward a new horizon where data collection practices are clear, conspicuous, and consented to by all users.
Now that you know more about what PII is and the methods you use to collect it, make sure you handle this data with care and implement the appropriate methods for maintaining legal compliance.