PERSONALLY IDENTIFIABLE INFORMATION (PII)
The single most important term you need to become familiar with when setting up your own website to interact with users, customers, clients, etc. is “personally identifiable information,” or “PII” as it is usually shortened to. This special set of information is what most states’ and countries’ privacy laws concern themselves the most with. Different jurisdictions have different definitions for what they consider PII, but a good rule of thumb is that if you have collected a person’s name + another identifying piece of information about them (e.g. driver’s license #, physical address, email address, etc.), you now have PII in your possession. When you collect PII, you are generally subject to the privacy laws of whatever state or country that person is a citizen of. This means that you need to consider the impact of these laws (or have counsel investigate the legal requirements) before you start collecting PII from citizens of a particular country.
Privacy Policies are essentially legally binding promises that you make, concerning your practices for handling the personal information of your website’s users. Some states (e.g. California) have laws that require website operators to post Privacy Policies on their website as soon as they begin collecting PII about citizens of that state. Failure to do so will result in unwanted attention from the Attorney General, the Federal Trade Commission (FTC), and possibly even private citizens.
COLLECTING PII FROM FOREIGN COUNTRIES
As mentioned above, different countries have different requirements. As much as we would like to treat it as such, the internet is not one borderless realm where anything goes (at least not anymore). Depending on where you operate, or where you are collecting PII from, different sets of laws apply to your collection, handling, and storage of PII.
The European Union, in particular, creates significant compliance headaches for US companies collecting PII about EU citizens and transferring it back to servers in the US. Under EU Data Privacy Directives (and the General Data Protection Regulation, or GDPR), US companies are technically prohibited from transferring EU citizens’ PII to the US due to concerns about the US Government’s bulk data collection practices. In order to do so, US companies must certify, under a program called the EU-US Privacy Shield, that they provide the same adequate level of protection as is required under EU law.
If you are collecting PII from non-US citizens, you should have counsel look into any specific requirements these countries may have.
By: Kieran de Terra, Esq. – 02/26/17
Disclaimer: Although this article may be considered advertising under applicable law and ethical rules, the information in this article is presented for informational purposes only. Nothing should be taken as legal advice. Reading this article does not form an attorney-client relationship with us. An attorney-client relationship is formed through a signed engagement agreement. If you would like further information, wilkmazz pc would love to help you out! Feel free to reach out with any questions.