Learning about personally identifiable information (PII) is crucial. Identifiable information can be used for nefarious purposes like identity theft and fraud.
So, how can you protect yourself as an innocent web browser?
Or, if you manage a website — how do you protect users and your company from falling prey to privacy breaches?
As one of the most trusted analytics solutions, our readers would benefit from being as informed as possible about data privacy issues and PII. Learn how you can keep your or others’ information safe.
What is PII?
Before we discuss PII in-depth, let’s first understand what it stands for.
“PII” is an acronym for personally identifiable information.
Personally identifiable information (PII) is defined as any information that can be used to identify a person’s identity. The term was primarily used in the US data security and privacy breach notification context, but it has been adopted globally as a catch-all term for all information that can be linked to an individual. It is important to note that each privacy law defines what it protects slightly differently, and you will need to consult the specific law to understand what information or data is protected.
The US National Institute of Standards and Technology (NIST), defines PII as “any information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” (NIST SP 800-63-3, quoting OMB Circular A-130).
What can be considered personally identifiable information (PII)?
The following are considered examples of PII:
- Full name/usernames
- Home address/mailing address
- Email address
- Credit card numbers
- Date of birth
- Phone numbers
- Login details
- Precise locations
- Account numbers
- Security codes (including biometric records)
- Personal identification numbers
- Driver license number
Read a list of more PII examples.
Anonymous information, information that does not relate to individuals, or information that can’t be traced back to an individual, can be considered non-PII.
What is sensitive and non-sensitive PII?
The split into sensitive and non-sensitive PII is used to assist organisations in understanding their cybersecurity obligations and designing their cybersecurity response.
Sensitive PII comprises information which if lost, compromised or disclosed without authorisation, could result in substantial harm, embarrassment, inconvenience or unfairness to the individual. Some common examples of sensitive PII include Social Security numbers, financial account information, driver’s license numbers and medical records. Such data requires a higher standard of protection and any breach affecting sensitive PII is more likely to be notifiable .
Non-sensitive PII is considered “less sensitive”, from a data breach response perspective, because, on its own, it usually can’t be used to commit identity theft or fraud or cause other harm to the individual. While such information might be part of an individual’s identity and still protected by privacy laws, it poses a lower risk in case of a breach without additional data (like a name, bank account or Social Security number). This means it’s not necessarily notifiable under U.S. data breach notification requirements, however the assessment is contextual.
Use of appropriate safeguards (encryption, secure storage, appropriate access controls, etc.) can mitigate the risks.
However, when combined with other information, even non-sensitive PII data can become more potent, emphasising the importance of protecting all PII in compliance with applicable data protection laws. Note that both sensitive and non-sensitive PII are subject to privacy laws.
When combined, simple details can reveal much about someone and be misused.While knowing the differences is important, organisations processing PII need a complete plan that will allow them to keep PII safe and meet cybersecurity standards applicable to their business.
Who is affected by the exploitation of PII?
Anyone can be affected by the misuse of PII. Websites can compromise privacy by mishandling or illegally selling/sharing individual’s data. This may lead to identity theft, account fraud,account takeovers, reputational damage, psychological harm. PII can be compromised not only when it is accessed by ill-meaning third parties, but also when employees of the organisation handling the PII access PII databases without authorisation. .
How do cybercriminals exploit stolen PII?
Cybercriminals exploit stolen PII by committing online fraud. There are many risks involved once PII has been compromised, such as:
- Identity theft: One of the primary uses of stolen PII is identity theft. This allows cybercriminals to assume another person’s identity and commit fraud, open credit cards, take out loans, or make unauthorised purchases.
- Targeted phishing attacks: With detailed PII, cybercriminals can craft more convincing and targeted phishing emails or messages, increasing the chances that the recipient will fall for the scam.
- Financial loss: Direct financial losses can occur when cybercriminals access and misuse bank accounts, credit cards, or other financial resources tied to stolen PII.
- Legal repercussions: Victims of stolen PII might inadvertently be embroiled in legal battles if their identity is used for illicit activities.
Due to these risks, individuals and organisations must prioritise data security and stay informed about best practices for safeguarding PII.
Website owner’s responsibility for data privacy (PII and analytics)
If you’re using a web analytics tool like Google Analytics or Matomo, the best practice is not collecting PII if possible. This is to respect your website visitor’s privacy and minimise the risk of data breaches.
You must collect and handle this data securely if you work in an industry that needs people to share personal information (e.g., healthcare, security industries, public sector) and be aware of any applicable privacy laws and cybersecurity standards.
Although over half of the world’s population will have its private data protected by modern regulations, it’s still vital to play it safe. Organisations should only request PII if it’s absolutely necessary.
How you’re held accountable remains up to the privacy laws of the country you’re doing business in. Make sure you’re fully aware of these privacy and data protection laws that relate specifically to you.
To reduce the risk of privacy breaches, try collecting as little PII as possible, purging it as soon as possible and ensuring your IT security is updated and protected against security threats.
With data collection tools like web analytics, data may be tracked through features like User ID, custom variables and custom dimensions. Sometimes, they’re also harder to identify when present, for example, in page URLs, page titles, or referrers URLs. So be sure to configure your web analytics tools’ settings to ensure you’re respecting users’ privacy.
If you’re using a GDPR compliant tool like Matomo, learn how you can stop processing personal data.
PII privacy laws by country
Given the rise in digital data storage and transactions, countries have established various laws to protect personal information.
Here’s a look at some privacy laws by country.
The realm of personal data protection in the European Union is governed predominantly by the General Data Protection Regulation (GDPR). This robust framework amplifies the rights of EU citizens regarding their personal protected information. Controllers or processors who fail to comply with the GDPR can receive a fine of up to €20 million or, in case of groups of companies, 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher. On cybersecurity front, a failure to implement appropriate technical and organisational measures to protect the personal data can result in a fine up to €10 million or EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Unlike the EU, the United States doesn’t operate under a single overarching data protection statute. Instead, the landscape is dotted with a myriad of laws at both the federal and state levels.
Federal laws like HIPAA target specific sectors, setting guidelines for data privacy. On the state front, significant advancements like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) signal the growing emphasis on individual data rights. Other states that have passed consumer data privacy acts to date include Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas and Utah. Other bills are pending or proposed across the remaining states.
Privacy laws in other countries
The following are the primary privacy laws in other countries:
- PIPEDA (Personal Information Protection and Electronic Documents Act): Governs how businesses handle personal information in private transactions. Some provinces have specific regulations that align with PIPEDA.
- Privacy Act 1988, including Australian Privacy Principles, Australian Privacy Principles Guidelines and Notifiable Data Breaches scheme: Governs how federal and Norfolk Island government agencies and certain private sector entities handle personal information. State privacy laws also exist.
- DPDP (Digital Personal Data Protection Act): The Act applies to digital or digitized data only.
- Information Technology Act, 2000: Regulates cyber activities, including electronic data’s authenticity and security.
- LGPD (Lei Geral de Proteção de Dados Pessoais): Brazil’s main data protection law, LGPD, emphasises transparency, accountability and individual rights regarding personal data.
- PIPL (Personal Information Protection Law): China’s comprehensive data protection regulation ensures the lawful, justified and necessary processing of personal data.
- Cybersecurity Law: Focuses on network security, data protection and ensuring Chinese citizens’ data stays within the country.
- Data Security Law: Deals with data security across (broader than personal information).
Personally identifiable information (PII) vs personal data
While PII and “personal data” are sometimes used interchangeably, it is important to remember that while PII is always personal data, not all personal data as defined in the GDPR would be considered PII. For example, the GDPR definition of “personal data” includes data that has been pseudonymised, or data that may not have been traditionally seen as PII (online identifiers, IP addresses, device ID, browser information, some cookies, and URL names).
The definition of “personal data” according to the GDPR:
What’s seen as personal data depends on the context. If a piece of information can be combined with others to establish someone’s identity then that can be considered personal data.
How do you keep PII safe?
- Don’t give your data away so easily. Read the terms and conditions.
- Don’t just click “agree” when faced with consent screens, as consent screens are majorly flawed.
- Disable third-party cookies by default.
- Use strong passwords.
- Be wary of public WiFi — hackers can easily access your PII or sensitive data. Use a Virtual Private Network (VPN) to encrypt your connection.
Read more on how to keep PII safe. We’ve also included a PII compliance checklist for businesses and organisations.
PII security best practices
Protecting PII is crucial for businesses and organisations in maintaining trust and complying with privacy regulations.
Here are some best practices to ensure the safety of such data:
Incorporate data encryption
Always employ robust encryption standards for your PII, ensuring it’s encrypted during storage (at rest) and while being transferred (in transit) to safeguard against unauthorised access. This encryption acts as a protective barrier, rendering data unreadable to any unauthorised person who might intercept it.
Use data anonymisation
Incorporating data anonymisation can help organisations transform personal data to make them harder to identify. By utilising this technique, businesses can significantly reduce the risk of data breaches and protect PII from potential misuse. Tools such as Matomo provide a privacy-friendly analytics solution that guarantees GDPR compliance and offers data anonymisation as a .
Employ Multi-factor Authentication (MFA)
Mandate the use of MFA for any system storing or accessing PII, reinforcing user identity through multiple verification methods. By requiring various verification forms, MFA greatly reduces the risk of unauthorised access due to stolen or guessed credentials.
Monitor and apply updates
Diligently monitor and swiftly apply all software patches and updates to seal off vulnerabilities and keep your systems up-to-date against threats. Regularly updating software ensures that known vulnerabilities, which cybercriminals often exploit, are addressed promptly.
Establish access control
Establish strict access protocols (role-based and need-to-know basis), allowing PII access solely to those with a defined role and genuine necessity, minimising potential exposure points. This selective access means fewer people have the potential to inadvertently or maliciously misuse sensitive information.
Develop your own systems
You can effectively safeguard PII data by developing your own systems, such as by building custom plugins and APIs. Constructing your own solutions gives you complete control over how data is gathered, processed and transmitted. Using open-source platforms like Matomo, where you can customise various aspects or develop plugins, can be beneficial.
Encourage secure password policies
Advocate for complex password requirements and regular changes, bolstering defences against unauthorised access attempts. Strong passwords that are changed periodically can prevent unwanted access to critical systems.
Store data on your own servers
Storing your own data on your own servers can require some technical skills and extensive resources (like the actual servers themselves), but it’s incredibly common in industries that need high levels of data privacy and security. Industries like finance and healthcare often store their data on their own servers to ensure the data is as protected as possible.
Matomo On-Premise is a free solution for self-hosting your own servers to ensure your data is secure.
How Matomo deals with PII and personal data
Although Matomo is a web analytics tool that tracks user activity on your website, we take privacy and PII very seriously – on both our Cloud and On-Premise offerings. Matomo is a privacy-friendly analytics solution that gives you 100% data ownership and GDPR compliance.
As the GDPR continues to evolve, you can rest assured that Matomo will be at the forefront of these changes.
If you’re using Matomo and would like to know how you can be fully GDPR compliant and protect user privacy, read more:
- Learn how to not process any personally identifiable information – Anonymise IP addresses, user IDs, and order IDs
- Matomo protects user privacy by talking the talk and walking the walk
- Stay ahead of the GDPR with a privacy-respecting analytics platform
- 11 ways Matomo helps you protect your visitor’s privacy
We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to issues you may encounter when dealing with PII. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.