CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
August 17, 2022
We’re officially in an era where navigating data privacy regulations — and striving for constant compliance — are expected, commonplace practices. But among the nuances and stipulations attached to data privacy compliance, organizations must also learn the wealth of terminology and definitions behind it all.
Your organization is expected to understand, at least at a basic level, how to interpret this new lexicon — and how it applies in the data privacy world. Especially when several terms seem to hold similar definitions. Shouldn’t “personally identifiable information” (PII) mean the same as “personal information” (PI)?
The good news? We’re here to break down PII versus PI (and one other commonly confused phrase) for you. Here are three terms that we’ll cover in this article:
Depending on the jurisdiction, the term “personal data” can take on varied meanings. But as an umbrella definition, “personal data” refers to digital or analog information that can be used to identify a specific person.
Personal data can include a person’s name, address, email address, IP address, phone number, Social Security number, banking information, and more.
That said, context matters. Take the name Jane Smith. With no other information attached to the name, jurisdictions wouldn’t consider it personal data for any legal reason. Many Jane Smiths exist in the world, and if there’s only a name to go off of, there’s no way to know which Jane Smith is in question.
However, if Jane Smith has a street address and phone number attached to her name in a single location or file, most jurisdictions would call that personal data. As such, companies in possession of Jane’s data are beholden to data privacy regulations.
Bottom line? The more info you have on a person (especially when collected in a single place), the more “personal” the data becomes.
To ensure your organization is compliant with all relevant data privacy laws and regulations, understanding the definition of “personal data” across jurisdictions is imperative. Of course, the definition can vary — geographically, legally, and otherwise — which means you must give careful consideration to how you interpret it.
Here’s something that’ll confuse you: Technically, all personally identifiable information (PII) is considered personal data, but not all personal data is considered PII.
They’re not mutually exclusive.
PII consists of any information about a person — including data that can trace or distinguish their identity — and any information that can be linked to them (like medical, financial, or employment data). But personal data on its own doesn’t always consist of all those identifiers.
When we talk about distinguishing a person’s identity, that means identifying one individual over another using specific data (like the Jane Smith example). Tracing that individual means you’re processing enough data to understand aspects of that person’s status or activities. As such, personal information like name, email, phone number, Social Security number, etc. are considered PII.
From a zoomed-out perspective, the greatest difference between personal data and PII is that PII is often used to differentiate one person from another, while personal data includes any information related to a living individual, whether it distinguishes them from another individual or not. Again, think of Jane Smith. Jane’s name is her personal data, but it isn’t PII since there are many Jane Smiths out there.
We provide insight here into how several data privacy laws interpret the phrase.
The term “personal information,” or PI, is most often used in one particular data protection law: the California Consumer Privacy Act (CCPA).
Though PI and PII are closely related, the CCPA defines PI as:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
However, this doesn’t include information that has been made publicly available by the local, state, or federal government. Still, identifiers that can be linked to a California resident include those similar to PII identifiers: a person’s name, address, email, Social Security number, etc.
One notable difference when it comes to PII versus PI? Personal information, under the California law, also constitutes data like IP addresses; biometric, location, or audio information; and personal device identifiers.
The definition of “sensitive information” — also known as “sensitive data” — is a bit different from one data privacy law to another.
As an overarching definition, sensitive information is personal data that most jurisdictions believe should be treated with a higher standard of care. To protect it, your company may have to apply greater security measures. And, depending on the law, it’s possible you’ll need different kinds of consent to collect it.
If your organization allows unauthorized access to a data subject’s sensitive information, you face a greater risk of being penalized by data protection authorities. Permitting excessive access to sensitive data leaves a data subject open to various forms of harm and/or discrimination based on, for example, their sexual orientation, religious beliefs, private health matters, and the like.
Additionally, depending on location, sensitive information may comprise data collected from children. The latest GDPR regulations allow children 16 and older to consent to having their data processed on their own. Parental consent is required for children 13 to 15; children under 13 cannot, under any circumstances, provide consent themselves.
Like PI, sensitive information isn’t collected from unrestricted directories; it doesn’t include any data that the government makes available to the public.
Similar to the other terms previously listed, the way each data privacy law interprets sensitive information varies. For that reason, check your jurisdiction’s definitions before your organization collects personal information.
The other half? Knowing what kind of data you collect and where it lives.
While the amount of jargon associated with data privacy can be dizzying, keeping up with it all is imperative. Understanding the subtle nuances behind PII vs. PI and how each data privacy law interprets them will get you far.
But you’ll go even farther when you’re able to keep track of the data your company collects. Data discovery tools can make it easier. Because understanding your data is the first step in understanding the privacy laws (and all of the lingo) attached to it.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”