What is Personally Identifiable Information (PII)? Definition, Technology and Compliance Best Practices with Examples
Mar 09 2020 | 04:56 PM | 10 Mins Read | Level - Intermediate | Read ModeChitra Iyer Editor in Chief, Ziff Davis B2B
Connect with Author
At MTA, Chitra creates research-based content that reflects the dynamics of the martech industry. She also lends her expertise to help plan and execute diverse campaigns, events & content strategies on the MTA platform, based on unique client needs. With over 15 years of experience in strategic marketing and communications, she has a great grasp on the way marketing professionals approach technology, their need to evolve and transform as marketers in the digital age, and the challenges therein. Specializing in Content Strategy, Digital Marketing, and Loyalty Marketing; and having worked on both the marketer and the vendor side, Chitra has a knack for writing about martech in a way that simplifies this complex landscape for the end-reader, while still addressing the depth and layers of the subject. Chitra has studied media and communications at the London School of Economics and Political Science, UK, and worked at blue-chip companies including Timken, Tata Sky and Procter & Gamble (P&G;).
Personally identifiable information (PII) is defined as any public or private data of a person that can be used for identification or distinguish one person from another. Learn more about what PII is, its application in marketing, PII data governance and its best practices with examples.
CUSTOMER DATA PLATFORM (CDP) BUYERS’ GUIDE 2019
Welcome to the 2019 edition of CDP Buyers’ Guide. As customer data platforms are becoming increasingly necessary for enterprise marketers, it is also becoming more complex to choose the best fit CDP platform amongst the pool of new and old vendors.
DownloadTable of Contents:
- What is Personally Identifiable Information (PII)?
- Why do marketers need PII data?
- Personally Identifiable Information (PII) Data Collection Process
- PII data governance, compliance and regulations
- Best Practices for PII data collection, storage and usage
What is Personally Identifiable Information (PII)?
Personally identifiable information (PII) is defined as any public or private data of a person that can be used for identification or distinguish one person from another.
PII is divided into two categories:
Linked Information: Any information that can be directly and independently used to identify an individual. For example, information such as the full name, address, email id, social security number, contact number, login details, credit card details, etc.
Linkable Information: Any information that can identify a person when combined with another data point (but is not enough by itself to identify someone definitely). For example, information such as the first or last name, location, gender, age group, work details (job title, company), etc.
Non-PII data is defined as any data that cannot be used to identify a specific individual/ customer. It is also known as anonymous data, and is most commonly used in advertising technology applications. Non-PII is also useful to marketers in many situations, since it does reveal a wealth of information on when prospects and customers visit touchpoints, how they interact and other segment-wide insights, etc. but it doesn’t help with personalization or individual targeting. Non-PII data includes cookies and device IDs.
However, as we will see in the section on compliance and governance, the lines between PII and non-PII are rapidly blurring as the regulations around the collection, storage and usage of all customer data getting stricter. This tightening of regulation also recognizes that the technology to collect customer data in general, and specifically when it comes to making inferences from non-PII to identify who a particular individual may be is advancing.
Why do marketers need PII data?
PII can be used for a range of applications, but in the context of marketing, it is generally associated with gathering data to more definitively identify prospects and customers; and deliver increasingly personalized marketing messages and offers to them.
Today, whether we want to or not, as marketers, we collect a deluge of data in myriad forms. An increasing number of marketers are collecting and storing prospect and customer data and customers based on both - interactions and transactions – across a range of online and offline touchpoints.
The data that marketers collect directly from prospects and customers who interact or transact with them on ‘owned’ channels and touchpoints is called ‘first-party data’. Marketers can also purchase or access ‘second-party data’ or ‘third-party’ data from other data owners or vendors - this is data which was not given directly to them and which may well have been volunteered by the customer for another purpose altogether, or worse, the customer may not even be aware that their data is being traded without their express consent.
Irrespective of how its acquired, marketers use data to run customer analytics, identify behavioral patterns, identify segments or specific individuals as well as analyze consumer shopping behaviors and personal preferences in order to better engage prospects and customers, and personalize marketing messages for the best conversion outcomes.
When done right, the use of ethically sourced first-party PII can give marketers a sustainable competitive advantage as they are able to make marketing far more personalized, targeted and contextual. However, balancing the marketing outcomes of collecting and using PII with the regulatory, compliance and governance aspects of collecting, storing and using an individual’s personal data is indeed a slippery slope – one that has brought many large brands to its knees and resulted in huge payouts as fines for the mishandling, misuse, and even abuse of the data.
Personally Identifiable Information (PII) Data Collection Process
While government agencies have the most access to PII, in the always-on and always-connected world we operate in today, technology has made it easier than ever for marketers also to collect data from prospects and customers.
Online commerce sites and financial and banking related sites by the nature of their product or service get access to payment details, banking details and addresses, telephone numbers etc.
Mobile apps and video games also ask to access almost all details contained in a phone when giving users access to the service. Social media apps and smartphones know your location and several other details at any point of time.
While anonymous data such as IP address, device ID and cookies are easy to collect whenever someone visits a website, the ethical collection of other PII data points need the prospect to voluntarily share that data with the marketer. In marketing, it is called collecting permission-based first-party data or consent-based data collection.
For example, in the B2C world, when you visit an online shopping site, you must share your contact details and payment details at the very least, in order to use the service. If the service requires you to ‘sign-up and log in’ then they will ask for even more details- everything from sex to shopping preferences. While sharing this data, you have to often choose if you ‘consent’ to or ‘give permission to’ the marketer to use this data for more than just completing the current transaction, and whether they can store your data for future use. Often, the customer will make a choice based on the convenience and the significance of the service in their life.
In general, marketers can assume that customers would not like to share PII, and if they have to, they would prefer to share the bare minimum PII required, and certainly would not like it stored for future marketing use, unless they are highly engaged with the brand and trust the marketer implicitly. Examples of this degree of engagement and trust can be seen with long-running loyalty programs, especially in the travel and hospitality sector, where ‘being recognized’ is an important part of the experience for the regular traveler.
In the B2B world, you may need to reveal your job title and company name and contact details in order to download useful content or even place an order or replacement. Again, the marketer has to provide consent for any additional usage of the data being collected.
Often, marketers coerce prospects and customers into sharing data in exchange for the service, but this is not a sustainable strategy and certainly not one which can win customer trust and confidence. Increasingly, such behavior would not just be unethical, but also illegal, given the debates across the world on the way marketers are collecting and using customers’ data.
With technology like identity resolution and customer data platforms getting more advanced by the day, it is getting easier to identify an individual from a collection of fragmented data points. For example, with probabilistic identity resolution, it is possible to make a match between linkable data points to make a fairly accurate match about a specific individual’s identity. Deterministic identity matching can make an almost certain match between data points to resolve an individual’s identity across devices and channels. In the B2B world, there are services that can take a standalone data point such as email ID and be able to backfill details like the individual’s full name, company name, title, contact details etc.
PII data: governance, compliance and regulation
Thanks to the technological advances in PII data collection, and the resulting misuse and abuse of the data to make profits at the cost of violating individual privacy and manipulating marketing outcomes, governments around the world have woken up and put in place increasingly restrictive guidelines on who can collect data and how, the rules to store it, and how it can be used for marketing or any other purposes.-
From Google to Facebook, Target to Equifax, there are several stories of data misuse and abuse. Owners of the data tend to view the gathering of PII as not something entirely desirable, as they fear the misuse of their data in the form of unsolicited communications from marketers, or worse, the breach of their data by illegal operators who can then use it to cause financial or other forms of damage.
It is important for marketers to put in place strict frameworks that govern data collection, storage and use. While self-governance is crucial, complying with local, regional and national laws and regulations is also important, especially as regulatory bodies have started applying hefty fines for compliance breaches and violations. From the GDPR in Europe to the CCPA in California, and any number of other acts in different parts of the world, it is crucial for marketers to follow data collection, storage and use best practices.
It is also equally the marketers’ responsibility to ensure they are sourcing non-first party data from in ethical ways and from ethical partners.
In fact, in Europe, several companies have stopped even collecting cookies on their website to avoid falling foul of regulations and laws. In this scenario, the careful, considered collection, storage and usage of permissioned first-party data has become ever more critical to marketers.
Best Practices for PII data collection, storage and usage
While most responsible marketers will try their best to ensure they are in full compliance of the law when it comes to PII, there are some best practices to keep in mind that can minimize vulnerabilities.
1. Self-regulation with data governance frameworks and policies: first and foremost, every organization needs to put in place a data governance framework and policy, and get every employee of the organization to understand and sign off on the policy to ensure compliance. This policy should be based on the reality and context of the particular company, market and geography. Thought leaders are starting the conversation around ‘lean surveillance’ as a sustainable practice to balance the need for customer data and self-governance.
2. Managing geographical complexities: companies that operate globally, especially online retailers who may have customers from all over the world, need to be especially careful in terms of being compliant with diverse laws in different part of the world and which jurisdictions they need to adhere to.
3. Minimizing the collection of customer data and PII: in general, it is a best practice to minimize the collection of customer data, and especially PII, as it is the most susceptible to misuse and abuse. Irrespective of who acts illegally, the company and brand that has used the data is not only liable, it also risks its hard-won reputation, customer trust and confidence, in the event of a breach or violation of customer data rights.
4. Data storage best practices: marketers who collect data must also have a plan to store the data securely, with no possibility of the data getting hacked or leaked to unauthorized persons or entities. IT experts must be involved, and appropriate investments made to ensure risk mitigation. Companies also need a written policy in place when it comes to informing customers in the event of a breach or security violation. Data owners should review the data they hold regularly, and archive or delete data as needed. More is not better when it comes to data storage, and it is certainly not safer.
5. Strict consent norms: marketers need to follow the philosophy of ‘informed consent’ – giving prospects and customers full disclosure on what data is being asked, how long it will be stored and how their data will be used internally and externally. Also, all employees must be trained to adhere to consent norms while creating and executing any data collection touchpoints such as web forms, sign-in or registration pages, order pages etc.
6. Privacy by design (PbD) should be intrinsic to marketing strategy, where marketers build in a privacy-first approach into all its marketing data collection irrespective of what the law says. As Bryta Schulz says in her exclusive feature on MarTech Advisor, “PbD’s journey from being a niche obsession of techies to a foundational element of arguably the most-discussed privacy regulation in history contains valuable lessons about why brands need to incorporate privacy into every digital product or service of theirs that touches the consumer, not just for GDPR-compliance purposes but to provide a great customer experience and mitigate against breaches and cyber-attacks as best as a company can in today's times.”
7. Involve all stakeholders: legal, IT, marketing and corporate governance are all equal stakeholder in the collection and management of customer data, and need to be involved from the start, even if the application of the data is for marketing purposes alone.
8. Be selective and accountable about the source and use of third-party data: marketers need both first- and third-party data to run complex marketing campaigns – however, it is not just firt-party data collection they need to be careful about designing. Third-party data too need to be sourced from responsible and ethical vendors who can vouch for the customer’s permission or consent for the use, trade, and exchange of the data. In case of any doubts, it is best to anonymize the data before using it for any marketing applications, in order to minimize liability.
The future of PII in marketing
With IoT, smart devices both in and out of the home, wearable mobile devices and more, data will become increasingly easier to collect – but will also be increasingly more difficult to manage, store and use in responsible ways. Regulations and laws are going to get stricter in design and enforcement as well, and marketers will in increasingly liable for the data they collect and use, both to lawmakers and to their customers themselves.
In all cases, the general principle is tending towards the fact that marketers who follow best practices, enable informed consent and engage in a meaningful dialogue with their customers about the data needed to best serve them will win the customers confidence. Great customer data management – especially of PII – is also great for brand reputation and customer confidence, and ultimately, for business.