Comparing PI and PII Data: CCPA vs. GDPR, What is the Difference?

We often run into confusion surrounding what exactly constitutes personally identifiable information (PII). PII qualifications vary depending on the specific compliance laws and jurisdictions, but generally speaking, PII is simply defined as information used to distinguish individuals from one another. PII pertains to information closely related to each consumer, for example, name, birthdate, social security number, and workplace information.

The key differentiator in how the GDPR and the California Consumer Privacy Act of 2018 (CCPA) define PII is that the CCPA refers to it as “personal information” and the GDPR refers to it as “personal data.” 

The CCPA acts as the genesis for state-mandated U.S. compliance laws. And although it does borrow principles from the GDPR, the law distinguishes itself as a heavily consumer-oriented law, giving rights and privileges to individuals. In order to maintain CCPA compliance and GDPR, you will need to understand how PII is defined for each law.

Comparing Personal Information (PI) vs. Personal Data

PI as defined by the CCPA § 1798.140: “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” 

This does not include any information that has been made publicly available by the local, state or federal government.

Identifiers that can reasonably be tethered to a Californian individual or household include things such as a person’s real name, postal address, email address, social security number, driver’s license number, and passport number.

Several indicators go overlooked, but with the prevalence of mobile data collection, businesses should be more vigilant and be aware that IP addresses, geolocations, biometric data, and internet search history — among other data sources — are also classified as personal information. 

Personal data as defined by Article 4 of the GDPR: “‘Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Any company that markets or sells goods to EU citizens, regardless of location, is subject to the GDPR. Examples of personal information the law aims to protect include mailing addresses, email addresses, phone numbers, IP addresses, login ID details, social media posts and digital images.

Use Ground Labs for PI and PII Data Discovery

Companies are collecting data about individuals, both directly and indirectly, at a rapid pace and from a range of sources. In order to ensure that PII — in this case, personal information and personal data — is being protected, you will need to understand the big picture of where all this data resides across structured and unstructured sources. Use Enterprise Recon to learn exactly what PII data your company has stored, how it is being used, and most importantly, how it is being protected.

If you are ready to start your data discovery journey, book a demo with a data expert today.