Comment by SR2Z
3 years ago
Yeah, companies seem to think that "personally identifiable information" is basically just your name. That's clearly wrong because GPS data and VIN make it extremely straightforward to figure out who a car owner is.
As far as I'm concerned, this is PII. That statement is a bald-faced lie and a state AG should bring charges over this - it's extraordinarily irresponsible for Toyota to collect this data and then leak it for TEN YEARS.
"Personally identifiable information" is a legal term with a legal definition[1], and location data is not PII. Companies think that PII is basically just your name because that's literally true: PII means name and government-issued ID number. That's it. Everything else is not PII.
Relatedly, PII sucks as a basis for privacy law. The laws enshrining PII were made in response to identity theft[2], and that's the "threat model" those laws are protecting against. They do a reasonable job protecting against that threat model, but are very narrowly-focused on that threat model.
Fine-grained location data is absolutely sensitive data, and any non-braindead privacy legislation would consider it as such. The US lacks such legislation. It would be considered Personal Data under GDPR, and Personal Information under CCPA.
[1] Actually like 400 definitions in 400 different laws, but there's a lot of similarity.
[2] Specifically, the first data breach notification law was made in response to lawmakers being the victims of identity theft. This is a common thread in US privacy laws. See also Robert Bork.
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
GDPR accepts that person can potentially be identified with reference to location data.
Anyway, "Personally identifiable information" is a weird term. Person can be identifiable in various ways. Information is just information. GDPR doesn't use this term.
Thank you I was just about to link this.
Personally identifiable information" is a legal term with a legal definition
In the U.S., the definition of PII varies depending in which federal department regulates your company.
My company's legal department recently sent down new PII rules, with links to the relevant federal agencies policies. Much purging of log files ensued.
I think most tech people would be shocked to see what very basic information some federal agencies consider PII.
That's why I think PII is a completely worthless term.
Not quite. An email address plus an address could be PII.