Personally Identifiable Information (PII)
However, there is information collected that receives additional protection in the United States, Canada, and other countries. For instance, some personal information can be used to identify or track an individual visitor.
This class of personal data is commonly referred to as sensitive personal information (SPI) or personally identifiable information (PII). The additional requirements for PII often control collection, storage, and use of such data because of how easy it can be abused to commit identify fraud, stalk people, and other illegal purposes.
Q: Can you give me some examples of SPI/PII?
A: Sure. Although it varies by jurisdiction, data such as a visitor’s full name, credit card number, and home address are commonly protected sensitive personal information. However, there are truly gray areas where there’s no real consensus on whether the data should enjoy such protection. For example, a person’s gender, zip code, and criminal record may or may not be considered PII.
And sometimes it’s a combination of two different pieces of information that becomes SPI when each part by itself is not. For example, “J. Smith” by itself may not be personally identifiable information. However, if the website collects this data and the name of Smith’s employer, together the data may constitute PII.
Q: So as a website owner, I’ve got additional responsibilities for protecting sensitive personal information that can be used to identify individual visitors?
A: Yes. However, you also should consider how your visitors treat each other’s PII too.
Q: What do you mean by that?
A: If your site allows visitors to post information (such as blog comments or forum posts), invariably someone will reveal personally identifiable information about themselves in the content they post even though they really shouldn’t do so. You want to make it clear in your policy that other visitors who read such PII can’t abuse it. This means you’ll want to prohibit or severely limit the circumstances under which they can use such information without the proper consent(s) do to so…