Personally Identifiable Information (“PII”) has become a buzzword in the privacy law world over the last few years, and it is heavily protected by rules and regulations around the world, such as the General Data Protection Regulation (GDPR). Companies that fail to comply with regulations such as the GDPR, or that suffer a data breach, face steep penalties and/or burdensome, mandated mitigation and reporting requirements.
Because of this, companies both large and small across the world have started to familiarize themselves with the term and their obligations with respect to it.
So, that begs the question: what exactly is it?
At the risk of being a jerk: it depends on who you ask! Changes to privacy laws have been rapid-fire over the last few years, and the definition of what’s considered “personally identifiable information” expands each time a new law is enacted.
Generally, PII is one or more pieces of data that can be used to identify a person with particularity. Below, we’ve compiled a (non-exhaustive, but exhausting!) list of things that may be considered PII under the law. Some of these may only currently apply in certain states or jurisdictions. But, as the trend in privacy law is to add to this list, instead of delete from it, we want to present you with the most inclusive list possible. Here we go!
* Online identifier (e.g. social media handles)
* IP address
* Unique device IDs
* Account name
* Postal address
* Street address
* Email address
* Telephone number
* Social security number
* Driver’s license number or state identification number
* International ID number (e.g. passport number, other international governmental ID number)
* Other unique personal identifier
* Physical characteristics or descriptions of a person
* Geolocation data
* Family and lifestyle details
* Genetic data
* Biometric data
* Racial/ethnic/color data
* Political opinion or affiliation data
* Religious or philosophical beliefs data
* Trade union membership data
* Sex life, sexual orientation, and gender identity data
* National origin
* Citizenship status
* Insurance policy numbers
* Educational background
* Current employer
* Employment history
* Bank account numbers
* Credit card numbers
* Debit card numbers
* Other financial information
* Medical/health information
* Health insurance information
* Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
* Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
* Audio, electronic, visual, thermal, olfactory, or similar information (e.g. voice recordings)
* Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
We’ll continue to update this list as new privacy laws are enacted. Please check back regularly for updates! Questions? Contact us at firstname.lastname@example.org.
For more information, please visit the Carney website, here.
Disclaimer: this post is for informational/educational purposes only. It is not intended to provide any legal advice.