|
|
|
|
|
|
by lmkg
1132 days ago
|
|
|
"Personally identifiable information" is a legal term with a legal definition[1], and location data is not PII. Companies think that PII is basically just your name because that's literally true: PII means name and government-issued ID number. That's it. Everything else is not PII. Relatedly, PII sucks as a basis for privacy law. The laws enshrining PII were made in response to identity theft[2], and that's the "threat model" those laws are protecting against. They do a reasonable job protecting against that threat model, but are very narrowly-focused on that threat model. Fine-grained location data is absolutely sensitive data, and any non-braindead privacy legislation would consider it as such. The US lacks such legislation. It would be considered Personal Data under GDPR, and Personal Information under CCPA. [1] Actually like 400 definitions in 400 different laws, but there's a lot of similarity. [2] Specifically, the first data breach notification law was made in response to lawmakers being the victims of identity theft. This is a common thread in US privacy laws. See also Robert Bork. |
|
|
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
GDPR accepts that person can potentially be identified with reference to location data.
Anyway, "Personally identifiable information" is a weird term. Person can be identifiable in various ways. Information is just information. GDPR doesn't use this term.