Personal Individual Information (PII), also known as “personal data” or “personal information,” is information that identifies, relates to, describes or that is linked or reasonably linkable to an identifiable individual. Certain types of PII are categorized as sensitive information. Sensitive data can usually only be processed with the individual’s explicit consent, unless the data is required for filing legal proceeding or claims, or if there is any legal, public interest or regulatory requirement. PII does not include de-identified data, aggregate information or publicly available information.
PII is addressed in commercial agreements such as data processing agreements, privacy policies, vendor agreements, and software‑as‑a‑service (SaaS) agreements, where parties must clearly outline responsibilities for safeguarding such data. Legal responsibilities pertaining to PII also arise in the electronic gathering of information through websites, mobile applications, and other digital platforms, especially when consumer products are being sold, making compliance with privacy regulations imperative.
In commercial agreements, including data processing agreements, privacy policies, vendor agreements, and software‑as‑a‑service (SaaS) agreements, it has become customary to outline responsibilities for safeguarding such data.
State data privacy laws regulate the electronic gathering of information through websites, mobile applications, and other digital platforms.
State Privacy Laws
The United States does not have a uniform federal law that governs the collection and use of personal identifiable information. Nineteen states have or are in the process of enacting comprehensive personal identifiable information privacy laws. State privacy laws have a broad reach and can apply to businesses outside of the state. However, each state has established different criteria for determining whether a business is subject to the requirements of its data privacy laws. Smaller businesses may be exempt.
State laws vary in their definitions and protections for PII. By way of example, California’s data privacy law contains the most comprehensive definition of PII. It provides that Personal Information means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Sensitive personal information is personal information that reveals a consumer’s social security, driver’s license, state identification card, or passport number, a consumer’s account log in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, a consumer’s precise geolocation, a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership, the contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication or a consumer’s genetic data.
The state data privacy laws include detailed requirements for disclosure of what personal information is collected, how it is collected, how it is used, disclosure, sharing and sale of information and data retention.
These state laws impose obligations such as data breach notification, implementation of reasonable security measures, and notification and grant individuals request rights to access, correct and delete their personal data and, as well, provide a right to opt‑out of the sale or sharing of PII. The laws contain time lines for processing such requests.
Some requirements impose obligations for data processing agreements with third persons with whom collected PII is shared, employee privacy training, preparation of periodic data protection impact assessments, and privacy compliance audits. Creating a comprehensive data privacy compliance manual is crucial for ensuring that a business and its employees understand and adhere to state PII laws.
The use of tracking technologies on digital platforms has become increasingly problematic as the state laws evolve and are revised.
As regulatory frameworks evolve, understanding the nuances of PII laws is essential for safeguarding both individual rights and business interests.
Key Takeaways
Take steps to ensure compliance with data privacy laws. This includes:
- Accurately defining PII and sensitive information in contracts.
- Outlining responsibilities for safeguarding and managing PII in privacy policies, and in agreements such as data processing agreements, vendor contracts, and SaaS agreements.
- Implementing robust data security measures and breach response plans.
- Establish data processing agreements, conduct privacy training, perform periodic impact assessments, and privacy compliance audits.