There are two types of data in this world: the data that can identify an individual, and everything else.
When it comes to data that can identify people, think things like postal addresses and phone numbers. When it comes to “everything else,” think IP addresses and location.
One data set identifies an individual. The other doesn’t, but still provides information that’s useful for a marketer, an app developer, or a news website looking to optimize their experience.
The legal definition of Personally Identifiable Information (PII)
The U.S. government defines personally identifiable information (PII) as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”
Though the government regulates the collection and use of PII by its agencies and within certain sectors, the United States does not have any overarching data protection legislation. (We think it should, by the way).
Outside of the financial services or healthcare industries, which must follow federal regulations related to personal information, individual consumers primarily rely on state regulations for the protection of PII. At least 24 states enacted legislation regulating data security practices of private companies.
An explanation of linked and linkable information
On its own, a piece of information might not be PII. It is PII if it links an individual and can be used to identify that individual. Examples of linked information include:
- Full name
- Home or email address
- Driver’s license number
- Asset information, like a MAC address
- Ownership information, like a vehicle VIN number
Linkable information on its own does not identify an individual, but it could be used to trace someone’s identity when combined with other details. Examples of linkable information include:
- Postal code
- Age range
Okay, so what is non-PII data?
Information that is anonymous and cannot be used to trace the identity of an individual is non-PII. Device IDs, cookies and IP addresses are not considered PII for most of the United States. But some states, like California, do classify this data as PII. California classifies aliases and account names as personal information as well.
What about regulations around PII and non-PII data?
The United States does not yet have federal regulations controlling digital advertising and marketing practices’ use of PII. The Telephone Consumer Protection Act, Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM Act), Privacy Act and Federal Trade Commission Act are applicable in part.
Set to go into effect in 2020, the California Consumer Privacy Act of 2018 contains the most restrictive data protection laws in the country.
PII is an effective marketing tool. But it needs to be collected and used the right way.
Paid advertising on websites and mobile apps allow publishers to provide content and services for free. Some companies tailor this digital advertising to customers’ likely interests.
This targeted advertising does not depend on PII, but on linking interest categories or demographic data with a browser or mobile device in order to present relevant ads.
Modern mobile operating systems contain temporary identifiers known as Mobile Advertising Identifiers that have built-in privacy controls. The Android, Windows, and iOS devices have preference settings that allow users to opt-out of interest-based or cross-app advertising. They also have the option of changing the advertising identifier. These identifiers are separate from a mobile device’s permanent identifier.
Marketers can use PII in their efforts, but they need to meet the highest privacy standards possible. For one, there are very real legislative concerns in play, as highlighted in the California Consumer Privacy Act. But just as important is the need to be honest with users.
For brands, app developers, and marketers who use PII, non-PII, and everything in between, complete transparency with the user is necessary.
Because when you’re honest with your users, they love you for it.