We often run into confusion surrounding the definition of PI vs. PII — in other words, what exactly constitutes personally identifiable information (PII) in the EU’s General Data Privacy Regulation (GDPR) versus personal information (PI) in the California Consumer Privacy Act (CCPA) of 2018. Qualifications vary depending on the specific compliance laws and jurisdictions, but generally speaking, both laws define this type of data as information used to distinguish individuals from one another. It pertains to information closely related to each consumer — for example, name, birthdate, social security number and workplace information.
The key differentiator between the GDPR and the California Consumer Privacy Act of 2018 (CCPA) is that the CCPA refers to this kind of sensitive data as “personal information” (PI) and the GDPR refers to it as “personally identifiable information” (PII, also sometimes referred to as “personal data”).
The CCPA acts as the genesis for state-mandated compliance laws in the US. And although it does borrow principles from the GDPR guidelines, the CCPA distinguishes itself as a heavily consumer-oriented law, giving rights and privileges to individuals. In order to maintain CCPA compliance and GDPR, you will need to understand how PII is defined for each law.
PI vs PII: Comparing Personal Information and Personal Data
What is PII and PI? Let’s start with PI. As defined by the CCPA § 1798.140, PI is “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”
This does not include any information that has been made publicly available by the local, state or federal government.
Identifiers that can reasonably be tethered to a Californian individual or household include things such as a person’s real name, postal address, email address, social security number, driver's license number, and passport number.
Several indicators go overlooked, but with the prevalence of mobile data collection, businesses should be more vigilant and be aware that IP addresses, geolocations, biometric data, and internet search history — among other data sources — are also classified as personal information.
Personal data as defined by Article 4 of the GDPR is as follows: “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Any company that markets or sells goods to EU citizens, regardless of location, is subject to the GDPR. Examples of personal information the law aims to protect include mailing addresses, email addresses, phone numbers, IP addresses, login ID details, social media posts and digital images.
Use Ground Labs for PI and PII Data Discovery
Companies are collecting data about individuals, both directly and indirectly, at a rapid pace and from a range of sources. In order to ensure that PI and PII — in this case, personal information and personal data — are being protected, you will need to understand the big picture of where all this data resides across structured and unstructured sources. Use Enterprise Recon to learn exactly what PII data your company has stored, how it is being used, and most importantly, how it is being protected.
If you are ready to start your data discovery journey, book a demo with one of our data experts today.
