PII and NPI - What is the Difference?

Now let's continue explaining the difference between NPI and PII...

People often use the terms PII and NPI interchangeably, but as privacy laws get more nuanced, it should be recognized that the difference between the two is significant.

We are going to use the definitions provided by two different laws as the basis of our this discussion; the California Consumer Privacy Act of 2018 (AB 375) (or CCPA) for PII and the Gramm-Leach-Bliley Act (GLBA) or the Financial Modernization Act of 1999 for NPI.

As various states roll out their own privacy laws, they may tweak their definitions of these terms, therefore you may need to consult an attorney to get more guidance. This is just our best shot at defining these terms.

Personally Identifiable Information (PII)

Personally Identifiable Information (or Personal Information as the CCPA calls it) is defined as:

"Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household".

Additionally, the following information is specifically listed in the law as being PI or PII:

1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
2. Any categories of personal information described in subdivision (e) of Section 1798.80.
3. Characteristics of protected classifications under California or federal law.
4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
5. Biometric information.
6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
7. Geolocation data.
8. Audio, electronic, visual, thermal, olfactory, or similar information.
9. Professional or employment-related information.
10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
11. Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

It should be noted that "Personal Information" does not include publicly available information. For these purposes, "publicly available" means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.

Publicly available does NOT mean:

• Biometric information collected by a business about a consumer without the consumer's knowledge.
• Data that is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.
• Consumer information that is de-identified or aggregated as consumer information.

Let's take a closer look at one type of PII.

• Biometric information means:
• DNA information
• Iris images
• Retina images
• Fingerprints
• Face
• Hand
• Palm
• Vein patterns
• Voice recordings (which could include support or service phone calls)
• Keystroke patterns or rhythms
• Gait patterns or rhythms
• Sleep, health or exercise data that contains identifying information (Fitbit?) (See California Civil Code 1798.140(b))

Inferences drawn from any of the information listed above about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes are PI under CCPA.

Images of individuals captured by a video surveillance system can be personal information to the extent that individuals are recognizable.

Information that "is capable of being associated" or "could reasonably be linked" is also covered. An example of this is the service register of a car held by a mechanic that is tied to your name or license plate or VIN, if it includes information such as dates, mileage, technical problems and material condition. If that information is tied to the mechanic(s) who did the work, that information could be PI of the mechanic.

Section 1798.80 of the California Civil Law defines personal information this way:

"Personal information" means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

So, for example, your signature is PII or PI, as is your physical characteristics, however that might be defined.

Non-Public Personal Information (NPII)

In 1999, Congress enacted the Gramm-Leach-Bliley Act (GLBA, 15 USC 6801- 6827), which contains rules regarding the privacy of "nonpublic personal information" collected by financial institutions. In addition to the statute, there are extensive regulations promulgated by the Securities and Exchange Commission, banking regulators and the Federal Trade Commission. The GLBA does not preempt state law that gives greater privacy protection, and several states have statutes going beyond the GLBA that are not preempted (the California CCPA is an example).

The personal information covered by the GLBA is termed "nonpublic personal information," which is defined as:

"Personally identifiable financial information - provided by a consumer to a financial institution, resulting from any transaction with the consumer or any service performed for the consumer; or otherwise obtained by the financial institution."

 The term does not include publicly available information.

Regulations issued under this statute define "personally identifiable financial information" as any information:

"A consumer provides to you to obtain a financial product or service from you; about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer."

Those definitions are important, because the way "nonpublic personal information" is defined includes just about all information provided by a consumer or customer that is nonpublic, whether or not it appears to be particularly sensitive or confidential.

Examples of NPI covered by GLBA are:

• Name, address, income, social security number or other information on an application.
• Information from a transaction involving your financial product(s) or service(s) such as the fact that an individual is your customer or consumer, account numbers, payment history, loan or deposit balances and credit or debit card purchases.
• Information obtained as part of providing a financial product or service such as from court records or from a consumer report (as long as that data was not publicly available).

Implications of the difference between PII and NPI

Based on the information provided in definition of the terms above, you can see that the definition of PII is much broader than the definition of NPI. Much information which is publicly available such as property records, email information, postal addresses (if available in public records), professional or employment related information (as might be available on social media) is exempted from GLBA protections.

In addition, there is significant PII that may or may not be collected, that is simply not considered by GLBA. Examples of this are biometric information, Internet activity (such as what occurs when a customer interacts with one of your web sites), audio information (such as any possibly recorded interactions with your contact center or other employees), inferences or preferences that may be drawn from information collected (as an example, that might be used in targeted marketing) and a great deal of other information.

It is therefore important that our clients consider the whole of the information that may be stored related to a customer to determine what can reasonably be considered exempt under state privacy laws such as CA AB 375 because of their carve-outs for GLBA and other federal laws. That decision must be made, of course, in light of being able to defend that decision, if needed, in a court of law in front of a jury.

References:
https://medium.com/golden-data/what-is-personal-information-under-ccpa-cacf3aade252
https://cdn.campaign.piwik.pro/2018/12/How_PII_Differs_from_Personal_Data_-_3_Key_Factors.pdf
https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.80.&lawCode=CIV
https://www.insurancejournal.com/magazines/mag-legalbeat/2007/03/12/77898.htm