It is easier than ever to identify a consumer with just a few pieces of seemingly innocuous information. Advances in big data analytics, combined with the increasing volume of data generated by consumers in their daily lives, have “increasingly blurred [the] line” between personally identifying information (PII) and non-PII, according to a recent speech by Federal Trade Commission (FTC) Chairwoman Edith Ramirez. She expanded on her point by expressly stating that the FTC “now regard[s] data as personally identifiable when it can be reasonably linked to a particular person, computer, or device.” According to the Chairwoman, “[i]n many cases, persistent identifiers, such as device identifiers, MAC addresses, static IP addresses, and retail loyalty card numbers meet this test.”
The Chairwoman’s statements echo prior FTC statements on this issue. For example, back in 2009, FTC staff published a report on online behavioral advertising that recognized that “what constitutes PII versus non-PII is becoming less and less meaningful.” The staff observed, “[e]ven where certain items of information are anonymous by themselves, they can become identifiable when combined and linked by a common identifier.” The FTC repeated this theme in its 2012 privacy report. Moreover, the FTC’s 2012 revisions to its rule implementing the Children’s Online Privacy Protection Act added persistent identifiers—when used for certain purposes—to the definition of covered “personal information,” thereby requiring parental consent with respect to them.
The FTC’s position reflects a wider trend, over time, toward an expansion of the definition of PII by a variety of regulators. California’s Online Privacy Protection Act of 2003, for example, has been revised to add obligations over the years, and it defines PII broadly to include “Any other identifier that permits the physical or online contacting of a specific individual.” Some states have expanded their personal information safeguards and/or breach notification laws’ definitions of PII. For instance, Florida and Nevada have updated their safeguards and data breach notification laws to expand the definition of “personal information” to include online account credentials. In addition, the European Union (EU) Advocate General recently recommended to the EU’s highest court that dynamic IP addresses be treated as PII on a pan-European basis—even if a website operator cannot identify the user behind the IP address it collects, but the Internet access provider can. Moreover, the EU General Data Protection Regulation that will come into effect in May 2018 includes genetic and biometric data in the definition.
It remains unclear exactly what the Chairwoman’s reference to “in many cases” means and, thus, in what circumstances persistent identifiers will be deemed to be PII by the FTC. In her speech, however, the Chairwoman reinforced the FTC’s position that consumers should be informed and, when appropriate, have choices about a company’s information collection, use and disclosure practices—even when such information does not fit neatly within traditional notions of what is “personally identifiable.” Companies should expect the definition of personal information to continue to expand in the United States and across the world.