There has been a lot of discussion on privacy lists recently about whether IP addresses, email addresses, etc are PII (personally identifiable information). Clearly with regards to a specific law, you’d have to reference that law (or the corresponding case law) to make a determination. In general, though, I’d like to suggest a way of thinking about information in making this determination. Much of the discussion has revolved around whether the information by itself or in conjunction with other information can “identify” an individual. Does email@example.com identify John Smith and if so, which one? What about firstname.lastname@example.org? Does a dynamic IP address identify an individual or only when combined with the logs of the ISP?
The approach I suggest looks at information in terms of relationships to individual persons. Borrowing from the relational database world, information can be related One-to-One, One-to-Many or Many-to-Many.
Some examples would be
1. SSNs generally exhibits a One to One relationship: each person has one and only one SSN.
2. Physical addresses generally exhibit a One to Many relationship: several people could live at a particular address but most people only have one residential address.
3. First names generally exhibit a Many to Many relationship: at any given time there are millions of people named John and most people have many names (surname, given name, nickname, etc).
Hopefully you’ll see that almost anything COULD exhibit a many to many relationship. Just as we change IP addresses, we change physical addresses and some people have multiple residences. Even SSNs, though most people will only ever have one are used and reused by identify thieves.
A recent California court case,Pineda v William Sonoma
, considered whether zip codes were PII. Clearly, the relationship is many to many as many people reside in a single zip code and people move and change zip codes several times throughout their lives. It’s clear from the alleged facts of the case that William Sonoma used the zip code procured from Pineda in combination with additional information to identify her and her address and used that to contact her to solicit additional sales. While in and of itself the zip code did not uniquely identify her, that information was useful in identifying her. Without it, they may not have been able to track her down.
Other questions arise about whether car VIN numbers, license plates, etc are Personally Identifiable Information. I would have to argue absolutely. While in isolation the numbers don’t point to a particular individuals, they do relate to individuals in various ways, as owners, drivers, passengers, etc at particular times.
In our information driven world, we must take care that any descriptive information when combined with what it’s describing is PII and should be treated as such. “Blue” is not PII but “blue car” in context could very well describe (again) owners, passengers, sellers, drivers, etc….