In today’s privacy environment, there is a lot of talk about “personal data.” Is this platform or that tag collecting any “personal information”? Is the collection and use of that information allowed?
The problem with these questions in many organizations is that there is not a general understanding as to what “personal data” represents. Are we talking about “Personal Data” as defined by GDPR? “Personal Information” as defined in the CCPA? Or just good old-fashioned “Personally Identifiable Information” as outlined in the terms of service in popular products such as Google Analytics?
Let’s explore the definition of each so everyone can finally be on the same page.
Personally Identifiable Information (PII)
PII is data that can be used to directly identify a particular person. This is the classic definition that many people are used to. Examples include the following:
- Full name
- Social Security number
- Driver’s license number
- Passport number
- Bank account number
- Credit card number
- Email address
There are a number of restrictions when dealing with PII data. Within the context of marketing and advertising platforms, many have Terms of Service that prohibit the collection of such information. For example, if using Google Analytics, the collection of PII information is expressly prohibited. The penalty for collecting any PII could include account termination and the destruction of any and all data that has been collected within it. Beyond these limitations, PII is also called out in many laws and regulations and is usually what we think of when referring to “sensitive” data that must be specially handled across many industries.
Personal Data (General Data Protection Regulation)
Personal Data is defined in the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” (GDPR, Article 4(1)).
In layman’s terms, this means any information that can be used to directly, or indirectly, to identify a person. The definition here is, therefore, a bit more broad than that of Personally Identifiable Information (PII) while PII would also fall under the definition of “Personal Data” as outlined here in GDPR.
For purposes of marketing and advertising, this means that data points that are anonymous or pseudonymous but unique to an individual (such as IP address or a unique cookie ID) are also considered Personal Data. The definition also includes disparate data points that may be combined to identify a person, if they are combined and used in this way (hence “indirectly” identify). With various browser limitations being introduced and the efficacy of cookies becoming more limited, there is a lot of discussion around practices such as “browser fingerprinting.” With this type of approach, platforms will collect many seemingly innocuous data points from a user’s browser, such as screen dimension, browser version, and device type. Using these data points, the platforms will then combine them all together to create a unique identifier of an individual’s browser (the “fingerprint”). When this type of activity is occuring, those data points also fall under the definition of “Personal Data” since they are used in such a way as to enable identification of users, albeit in a more round-about way.
Personal Information (California Consumer Privacy Act)
Personal Information is defined in the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” CCPA Section 1798.140(o)(1). This includes “internet activity (including browsing and search history as well as web tracking data).”
As can be inferred from the legal definition, this is much broader than both PII as well as Personal Data as defined in the GDPR. “Personal Information” includes data that would fall under both of those definitions, and extends further to any data that can be associated with a person or household. This means that the data does not even need to necessarily identify the user, but as long as it is associated with a known user (be that an anonymous id like a cookie ID or with a known user such as an email), it falls under this distinction.
There are significant implications here for analytics and advertising platforms. Let’s use Google Analytics as an example. With all hits sent to GA, there is a unique “Client ID.” This Client ID is an anonymous ID that allows you to see metrics such as number of sessions, returning visits, and ties together actions across visits such as pages viewed, products viewed, add to cart events, etc. Because all of the user’s interactions with the website (content viewed, download actions, purchase events, etc) are associated with the Client ID, they are also associated with a particular consumer. Therefore, all of this data collected falls under the definition of “Personal Information” as outlined in the CCPA.
As you can see, the definition of “Personal” is going to depend quite a bit on the context in which the data is being discussed. It is extremely important that whenever having a discussion around data governance and privacy, to establish the definition of “personal” with all individuals involved. Hopefully the above can help get everyone within your organization on the same page to make productive and safe decisions about your data architecture.
Need to audit and monitor your site for PII data collection? Check out Tag Inspector’s new Automated PII Auditing & Monitoring functionality. Or, check out our guide to Tag Governance Auditing to learn more about how to fully assess the data collected by your organization for GDPR and CCPA.