What is “Personally Identifiable” Information?
Personally Identifiable Information (PII) varies according to which privacy laws you are looking at.
Basically, any information that might identify an individual is PII. This includes, but is not limited to:
- Date of Birth
- Social Security Number
- Email Address
- Mailing Address
- Billing Address
- Credit Card Information
- Health Information
- Phone Number
There are numerous laws and regulations that cover privacy laws for citizens of various parts of the worlds. It can get very complicated knowing which ones apply to you and which ones don’t.
A few of these regulations are:
- The Children’s Online Privacy Protection Act (COPPA) – this is a US policy covering children’s privacy protection. If you collect information online then this policy applies to you, even if your website or app is not for children.
- The California Online Privacy Protection Act (CalOPPA) – this is California’s privacy protection act for their citizens. There are clauses in it that affect people and business outside of California if the person visiting your site or app lives in California.
- The Personal Information Protection and Electronic Documents Act (PIPEDA) – this is a Canadian privacy protection act. Just like the California act above, if your website or app visitors are Canadian then this act applies to you.
- The General Data Protection Regulation (GDPR) – this is the European Union’s (EU) privacy protection regulation for its citizens. You guessed it, this applies to you if you collect PII from someone living in the EU. This regulation also has one of the stiffest penalties for non-compliance. The fines start at 10 million Euro, and go up from there.
There are more and more privacy regulations being added all the time. Most states are looking at adding a policy that will affect anyone collecting information about their citizens.
Currently, this means your policy needs to contain:
- What information you collect – do you collect their name, email, phone number, etc.
- How you collect it – how is it collected? Via form submission, contests, etc
- Why you collect it – what will you use their information for? To contact them, promote your services, etc
- What happens if the person does not want you to have that information anymore – if they request to be have their information deleted how does that affect them? Will they no longer have access to content, will they no longer receive your emails, etc
- Children’s privacy – how do you protect children’s privacy, and if you’re website is not meant for children, a statement saying so
- Do you use analytics programs – if you use any analytics programs you need a statement about which ones you use. Google Analytics require you give the person information enabling them to opt-out
- How you use the information – do you use it to market to them, send them emails, snail mail, etc
- Do you sell the information – self-explanatory hopefully
- Do you share the information – do yous hare this info with anyone? Third party vendors, CRM, etc
- How long you keep the information – do you keep it for a certain amount of time or until something happens
- Do you perform direct marketing – do you use the information to sell products and services directly to the individual
- Do you use automated decision making and/or profiling – do you use the information you collect to do anything that is automated, such as delivering an email based on a form they filled out
- Do you link to third party websites – does your site or app contain any links to other websites or apps
- Do you support Do Not Track – Do Not Track is a preference you can set in your web browser to tell sites you don’t want to be tracked, do you support this
- How can people opt-out – how can people not have their information stored or get it removed
- What rights do people have – what rights do they have based on current privacy acts and regulations
- Where is the data processed – in what location does the data processing occur
- Do you have a Data Protection Officer (DPO) – the DPO is a requirement of the GDPR for certain businesses
- Contact information – who can the individual get a hold of for questions
- Do you intend to transfer data to a third-world country or international organization – are you sending information outside your nation
- Do you offer health or fitness services – do you offer nutrition, fitness, or other health related advice
- Do you offer legal services – are you a lawyer, paralegal, or do you offer other legal advice
Create Your Policy Now
If you need help in this area, or want more information about Termageddon and getting it setup on your site, send me an email or give me a call.