NEW: 2024 Gartner Market Guide for Consent and Preference Management
Access now
Back to main menu

PII & Privacy Laws

Posted: January 3, 2023

Among the many acronyms of data privacy, PII is a term that is commonly encountered in data privacy regulations, frameworks, and more. Referring to any information or data that can be attributed to an individual, understanding the significance of Personally Identifiable Information (PII), and how to protect it, is crucial for organizations.

At the very core of data privacy, protecting PII is a critical component of any organization’s privacy practices. Ensuring the security of PII helps maintain trust, comply with legal requirements, and prevent data breaches that could lead to significant financial and reputational damage. Understanding what constitutes PII is the first step in establishing the data protection requirements within any organization.

 

What is Personally Identifiable Information (PII)? An overview

Firstly, it is important to recognize that data privacy laws and regulation each define PII differently. However, PII is generally used to describe any data or information that can be used to identify or trace an individual, such as:

  • First and last names
  • Email addresses
  • Contact numbers
  • Passport information
  • IP addresses
  • Financial details
  • Medical records
  • Social security numbers
  • Employment information

Personally Identifiable Information (PII) refers to any data that can be used to identify an individual, either on its own or in combination with other information. This can include direct identifiers like a full name, or indirect identifiers such as IP addresses, which may not immediately reveal an identity but can be used to trace an individual. PII is collected in many contexts, such as when making online purchases, receiving healthcare services, or using social media platforms. With such vast amounts of personal information being processed comes the need for effective data protection from organizations—often governed by several privacy laws and regulations.

 

Why privacy laws matter: The importance of protecting PII

In a digital world that is rife with threats to data and personal information, the significance of privacy laws cannot be ignored. Designed to protect personal data from breaches and misuse, data privacy laws such as the GDPR are essential in building trust between consumers and businesses.

In order for businesses to comply with regulatory requirements, there must be an understanding of what data they collect from consumers, how this data is handled and stored, and which regulations are applicable to their data processing activities.

 

Key global privacy regulations every business should know

Data privacy laws vary by region, and organizations must comply with the regulations that apply to their industry and location. These regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and the Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers, set standards for how personal data should be collected, processed, and protected.

Compliance with these regulations is essential for organizations to ensure the privacy and security of personal information, avoid legal penalties, and build trust with their customers. However, understanding which laws apply to your business is not just a recommendation; it is a necessity for compliance and the effective management of personal information.

 

How PII is defined under different privacy laws

GDPR (Europe)

The General Data Protection Regulation (GDPR) sets strict guidelines for the collection, processing, storage, and transfer of personal data of individuals within the EU. The GDPR aims to give individuals greater control over their personal information, ensuring it is handled transparently and securely. It also imposes significant penalties for non-compliance, making it one of the toughest privacy and security laws globally.

The GDPR applies to any business that processes the personal data of individuals within the European Union, regardless of where the business is located. This means that even companies outside the EU must comply with GDPR if they offer goods or services to, or monitor the behavior of, EU residents.

Within the GDPR’s Article 4, ‘personal data’ is defined as:

  • Any information relating to an identified or identifiable individual (‘data subject’), such as name, an identification number, location data, an online identifier, or any factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual.

Additionally, the GDPR grants individuals several rights regarding the collection of their personal data, including the right to restrict or object to its processing. This highlights the importance of consent management for any organization that collects data from consumers. Ensuring that the appropriate level of consent is obtained from individuals before processing any personal data is crucial for compliance, but also for maintaining consumer trust.

 

CCPA (California, USA)

The California Consumer Privacy Act (CCPA) grants California residents several rights regarding their personal information. These rights include the ability to know what personal data is being collected about them, to whom it is being sold or disclosed, to access and delete their personal data, and to opt-out of the sale of their personal information. The CCPA aims to provide greater transparency and control over personal data, ensuring that consumers are informed about and can manage how their information is used.

In terms of who the CCPA applies to, any for-profit businesses that collect personal information from California residents and meet at least one of the following criteria must comply with the CCPA:

  • have annual gross revenues exceeding $25 million
  • buy, receive, or sell the personal information of 100,000 or more consumers, households, or devices
  • Or derive 50% or more of their annual revenues from selling consumers’ personal information

Similarly to the GDPR, this broad applicability means that many businesses, even those not physically located in California, must comply with the CCPA if they engage with and collect data from California residents.

Under the CCPA, ‘personal information’ is defined broadly to include any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as names, addresses, email addresses, social security numbers, and IP addresses, as well as more sensitive information like financial data, medical information, and online activity.

 

HIPAA (USA)

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law designed to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA establishes national standards for the protection of health information, ensuring that individuals’ medical records and other personal health information are properly safeguarded.

HIPAA applies to covered entities, which include health plans, healthcare clearinghouses, and healthcare providers that conduct certain transactions electronically. Additionally, HIPAA extends to business associates, which are individuals or entities that perform functions or activities on behalf of, or provide services to, covered entities that involve the use or disclosure of Protected Health Information (PHI).

Within HIPAA, personal information is referred to as Protected Health Information (PHI). PHI includes any information that can identify an individual and relates to their past, present, or future physical or mental health condition. This encompasses a wide range of data, such as:

  • Medical records
  • Billing information
  • Insurance details

 

PIPEDA (Canada)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that governs how private-sector organizations collect, use, and disclose personal information during the course of commercial activities.

PIPEDA applies to any private-sector organization that handles personal information, including businesses of all sizes and industries, as well as federally regulated organizations such as banks, telecommunications companies, and transportation firms. In order to ensure compliance with PIPEDA, organizations must adhere to its main principles, which include obtaining consent, limiting collection, ensuring accuracy, and implementing safeguards to protect personal information.

Providing a broad definition of what constitutes ‘personal information’, PIPEDA encompasses details such as age, name, ID numbers, income, ethnic origin, blood type, opinions, social status, and disciplinary actions. Essentially, any information that can be used to identify an individual, either directly or indirectly, falls under the scope of personal information protected by PIPEDA.

 

Best practices for handling PII in compliance with privacy laws

Once an organization has identified its data processing activities, and acknowledges the PII that is collected from consumers, several steps should be taken to ensure the effective management of personal information.

  • Consult applicable regulations: Ensure you are familiar with the data protection laws that apply to your organization’s data processing activities. Penalties for non-compliance can be detrimental to brand reputation and consumer loyalty.
  • Implement appropriate security measures: Establish a dedicated privacy program and implement the appropriate level of data security measures to protect PII. This includes encryption, access controls, and intrusion detection.
  • Consider your consent strategy: Develop a clear consent management strategy to obtain explicit consent from consumers before processing their PII. Effective consent management empowers consumers to take control of their data; granting them the right to rescind their consent at any time.
  • Train employees regularly: Provide ongoing training on data protection practices, including recognizing phishing attacks and securing customer data.

 

The consequences of non-compliance with privacy laws

Compliance should never be treated as a check-box exercise. From significant reputational damages to hefty fines, the consequences of non-compliance can be detrimental to any organization. Perhaps most importantly, ensuring the trust of your consumers is the key to fostering loyalty, and if subject to data breaches and misuse, that trust can be irreparably damaged.

By prioritizing data protection and privacy, organizations not only comply with legal requirements but also build a solid foundation for long-term customer relationships and business success. Starting with consent, organizations should make every effort to grant autonomy to their consumers when it comes to their personal information; putting them in control of their own data.

Implementing a Consent Management Platform (CMP) can streamline this process by providing a centralized system for managing user consents, preferences, and data access requests. This not only ensures compliance with privacy laws but also enhances transparency and trust, demonstrating a commitment to respecting consumer privacy and fostering a positive relationship with customers.

 

Protecting PII in the workplace: Policies every organization needs

To guarantee compliance and nurture consumer trust, there are a number of measures that organizations should follow in order to effectively safeguard PII:

  • Data classification: Organizations should start by identifying and classifying all Personally Identifiable Information (PII) they handle. Having an awareness of what data you have is crucial for effective protection.
  • Access controls: Implement strict access controls to ensure that only authorized personnel can access PII. This includes using multi-factor authentication, role-based access controls, and regularly reviewing access permissions to prevent unauthorized access.
  • Employee awareness: Regularly train employees on data protection best practices, including how to handle PII securely, recognize phishing attempts, and respond to data breaches. Awareness and education are key to preventing human errors that could lead to data breaches.
  • Keeping up-to-date with changes in regulation: Ensuring your organization is fully compliant with laws such as the GDPR, CCPA, and HIPAA is crucial in demonstrating a commitment to data protection. Looking out for changes or amendments to these laws is a must.

 

Examples of PII data breaches

British Airways

British Airways was hit with a severe data breach in 2018 that affected over 400,000 customers. PII such as financial details, personal login information, and travel booking information was harvested, with the breach going undetected for two months until a security researcher alerted the firm.

Subsequently, the Information Commissioner’s Office (ICO) fined British Airways £20 million for failing to implement adequate security measures that adhere with GDPR.

This case not only highlights the need for an effective data privacy framework, but also underscores the importance of close data monitoring to prevent breaches from going unnoticed.

 

Equifax

The Equifax data breach, which occurred in 2017, exposed the personal information of approximately 148 million people. Attackers exploited a vulnerability in a web application to gain access to Equifax’s systems, where they were able to extract PII data over several months. The breach included sensitive information such as Social Security numbers, addresses, and in some cases, driver’s license numbers and credit card details.

Equifax faced significant criticism for its delayed response and inadequate security measures. The company was fined heavily and required to spend billions on customer restitution and security improvements.

 

Capital One

The 2019 Capital One data breach affected over 100 million customers in the United States and Canada. A former employee of Amazon Web Services exploited a misconfigured firewall to access Capital One’s data stored on AWS. The breach exposed sensitive information, including names, addresses, credit scores, and Social Security numbers

Keeping track of vulnerabilities is key when it comes to preventing data breaches. Organizations should ensure that all systems are monitored and that adequate data security measures are established in order to safeguard PII.

 

Final thoughts

For any organization that handles Personally Identifiable Information (PII), having the correct measures to protect it is crucial for maintaining the trust and confidence of consumers, complying with legal requirements, and safeguarding against data breaches that can lead to significant financial and reputational damage.

A key component of any privacy program, implementing a consent management strategy ensures organizations can efficiently manage user consents, preferences, and data access requests. This not only helps in complying with privacy laws but also enhances transparency and trust, demonstrating a commitment to protecting consumer privacy and fostering long-term loyalty with consumers.

Implementation guide to Consent and Preferences

Download guide
An implementation guide to consent and preferences

You might also like to read:

protect data

How to protect data at an enterprise level

How to protect data at an enterprise level

The need to protect data is crucial for enterprise brands and organizations. Discover actionable tactics in our latest blog.

Read more
Mapping the global landscape of online data privacy

Across borders: Mapping the global landscape of online data privacy

Across borders: Mapping the global landscape of online data privacy

Cassie's latest survey reveals global privacy concerns. Understanding them is vital for business leaders to meet customer needs - learn more.

Read more