Author(s): Paul M. Schwartz
Abstract: Personally identifiable information (PII) is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. The basic assumption behind the applicable laws is that if PII is not involved, then there can be no privacy harm. At the same time, there is no uniform definition of PII in information privacy law. Moreover, computer science has shown that in many circumstances non-PII can be linked to individuals, and that de-identified data can, in many circumstances, be re-identified. PII and non-PII are thus not immutable categories, and there is a risk that information deemed non-PII at one point in time can be transformed into PII at a later juncture. Due to the malleable nature of what constitutes PII, some commentators have even suggested that PII be abandoned as the means to define the boundaries of privacy law.
In this Article, Professors Paul Schwartz and Daniel Solove argue that although the current approaches to PII are flawed, the concept of PII should not be abandoned. They develop a new approach called “PII 2.0,” which accounts for PII’s malleability. Based upon a standard rather than a rule, PII 2.0 is based upon a continuum of risk of identification. PII 2.0 regulates information that relates to either an “identified” or “identifiable” individual, and it establishes different requirements for each category. To illustrate their theory, Schwartz and Solove use the example of regulating behavioral marketing to adults and children. They show how existing approaches to PII impede the effective regulation of behavioral marketing and how PII 2.0 would resolve these problems.
Keywords: personally identifiable information, behavioral marketing, privacy, FTC, de-identification, computer science, technology