Now let's continue explaining the difference between NPI and PII...
People often use the terms PII and NPI interchangeably, but as privacy laws get more nuanced, it should be recognized that the difference between the two is significant.
We are going to use the definitions provided by two different laws as the basis of our this discussion; the California Consumer Privacy Act of 2018 (AB 375) (or CCPA) for PII and the Gramm-Leach-Bliley Act (GLBA) or the Financial Modernization Act of 1999 for NPI.
As various states roll out their own privacy laws, they may tweak their definitions of these terms, therefore you may need to consult an attorney to get more guidance. This is just our best shot at defining these terms.
Personally Identifiable Information (PII)
Personally Identifiable Information (or Personal Information as the CCPA calls it) is defined as:
"Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household".
Additionally, the following information is specifically listed in the law as being PI or PII:
It should be noted that "Personal Information" does not include publicly available information. For these purposes, "publicly available" means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.
Publicly available does NOT mean:
Let's take a closer look at one type of PII.
Inferences drawn from any of the information listed above about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes are PI under CCPA.
Images of individuals captured by a video surveillance system can be personal information to the extent that individuals are recognizable.
Information that "is capable of being associated" or "could reasonably be linked" is also covered. An example of this is the service register of a car held by a mechanic that is tied to your name or license plate or VIN, if it includes information such as dates, mileage, technical problems and material condition. If that information is tied to the mechanic(s) who did the work, that information could be PI of the mechanic.
Section 1798.80 of the California Civil Law defines personal information this way:
"Personal information" means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
So, for example, your signature is PII or PI, as is your physical characteristics, however that might be defined.
Non-Public Personal Information (NPII)
In 1999, Congress enacted the Gramm-Leach-Bliley Act (GLBA, 15 USC 6801- 6827), which contains rules regarding the privacy of "nonpublic personal information" collected by financial institutions. In addition to the statute, there are extensive regulations promulgated by the Securities and Exchange Commission, banking regulators and the Federal Trade Commission. The GLBA does not preempt state law that gives greater privacy protection, and several states have statutes going beyond the GLBA that are not preempted (the California CCPA is an example).
The personal information covered by the GLBA is termed "nonpublic personal information," which is defined as:
"Personally identifiable financial information - provided by a consumer to a financial institution, resulting from any transaction with the consumer or any service performed for the consumer; or otherwise obtained by the financial institution."
The term does not include publicly available information.
Regulations issued under this statute define "personally identifiable financial information" as any information:
"A consumer provides to you to obtain a financial product or service from you; about a consumer resulting from any transaction involving a financial product or service between you and a consumer; or you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer."
Those definitions are important, because the way "nonpublic personal information" is defined includes just about all information provided by a consumer or customer that is nonpublic, whether or not it appears to be particularly sensitive or confidential.
Examples of NPI covered by GLBA are:
Implications of the difference between PII and NPI
Based on the information provided in definition of the terms above, you can see that the definition of PII is much broader than the definition of NPI. Much information which is publicly available such as property records, email information, postal addresses (if available in public records), professional or employment related information (as might be available on social media) is exempted from GLBA protections.
In addition, there is significant PII that may or may not be collected, that is simply not considered by GLBA. Examples of this are biometric information, Internet activity (such as what occurs when a customer interacts with one of your web sites), audio information (such as any possibly recorded interactions with your contact center or other employees), inferences or preferences that may be drawn from information collected (as an example, that might be used in targeted marketing) and a great deal of other information.
It is therefore important that our clients consider the whole of the information that may be stored related to a customer to determine what can reasonably be considered exempt under state privacy laws such as CA AB 375 because of their carve-outs for GLBA and other federal laws. That decision must be made, of course, in light of being able to defend that decision, if needed, in a court of law in front of a jury.
References:Cybersecurity LLC is a full-service cybersecurity and privacy company. Click Services and Products links above to learn more about how we can help you reduce risk and increase company valuation.