A multitude of different privacy laws place strict requirements on businesses to properly handle customer information. While many of these requirements are simple enough, the majority of them depend on correctly understanding the specialized terms used. This is where things get confusing. What’s the difference between personal information and personally identifiable information? Aren’t they both the same as account data? Why do most privacy laws have different requirements for each?

Understanding Privacy Laws

Most privacy laws focus on prioritizing the customer’s right to privacy over a company’s interest in sales. These laws primarily deal with how a company may or may not use someone’s confidential information, and even how much they can collect. However, it’s not as simple as dividing customer info into categories like phone numbers or emails. Different types of private information enjoy different levels of protection, and unfortunately, these different types of information often have confusingly similar names. And these definitions aren’t all your marketing team needs to know. Let’s look at a few of the most common privacy legal terms your business leaders need to know.

Personal Information/Personal Data

The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. A natural person is defined as anyone who can be directly or indirectly identified through references to information such as their location, name, ID number, etc. The amount of data that fits this definition is massive. Suffice to say, the vast majority of customer data you collect falls under the GDPR’s legal definition of personal information. And since most other privacy laws agree with this definition, restrictions on using personal information tend to apply universally.

Personally Identifiable Information (PII)

Personally identifiable information, or PII, is defined as information that can be used to identify a particular person. This may sound similar to personal data, but there’s one key difference. Personal data can be anonymized or “pseudonymized” by replacing key portions of data with placeholders. This ensures the data cannot be used to trace a particular person. PII, on the other hand, is information that can “de-anonymize” the data. Examples of PII include social security numbers, full names, bank account information, email addresses, etc. Since this information is far more unique to each individual, it’s easier to use PII to track down a particular person. PII thus deserves extra security.

Account Data

Account data is any and all data a customer provides when creating an account with a company. Most account data falls under the PII umbrella, since customers provide such personal data as email addresses or even payment details to create an account. You should treat account data with the same attention and care you give to PII.

Sensitive Personal Data

Sensitive personal data includes data of a more intimate nature. This includes the customer’s ethnicity, political leaning, genetic data, healthcare information, religious beliefs, trade-union membership, and other personal topics. Depending on the nature of your business, you may never deal with this information. But if you do, understand that sensitive personal data is intensely personal to the customer. Making this information public could result in discrimination, reputation damage, or personal attacks based on identity. Treat this information with the utmost care, and then only collect it if strictly necessary.

Cookie Consent/Tracking Consent

Cookie consent (sometimes called tracking consent) involves asking the user if your website can use cookies in their browser. These cookies might track recently visited pages, products clicked on, or other activity data on your website. Certain cookies can also keep a site visitor logged in.

Most websites that practice cookie consent use pop-ups or banners to keep customers informed and allow them to withdraw consent. Depending on which privacy laws your business is subject to, these notifications might be mandatory.

Zero-Party Data

Zero-party data is data provided directly by the consumer when they make a purchase or fill out a form. This could include their name, email address, shipping address, or payment information. Zero-party data is generally preferable to third-party data as it’s more likely to be accurate. Focusing on zero-party data also shows respect for a customer’s privacy, as you only collect and use the data they give you.

Marketing Consent

One practical application of zero-party data is marketing consent. Marketing consent differs from cookie consent in one significant way: the customer has provided their data willingly as part of a particular activity. (As in the previous example, maybe they filled out a lead form or registered for an event.) Marketing consent is the user’s consent for your company to use the data they provided for its intended purpose. For instance, a customer who registers for a virtual event and provides their email address is giving you permission to send them an event link.

Sometimes, this form of consent has a second layer. An event registration form may offer the user the choice of whether or not to be contacted with additional marketing information and offers later. This form of consent may last longer than that required only for the event registration (though exactly how much longer depends on your company’s privacy policy and applicable privacy laws).

Anonymized Data

Anonymized data has had all PII removed or changed permanently to ensure that it cannot be connected to an individual ever again. This process is designed to be irreversible. Since this data cannot be connected to specific people, anonymized data is usually not protected by privacy laws the same way personal information is.

De-Identified/Pseudonymized Data

De-identified or pseudonymized data is a collection of customer data that has had all PII removed or replaced with dummy data. Unlike anonymized data, de-identified data can still be connected to an individual since the removed or altered information is retained elsewhere. Pseudonymized data is thus protected by privacy laws.

Opt-In/Opt-Out

Opting in or out refers to a particular method of granting consent. In most regions, a customer is considered to have “opted in” to data collection and processing if they are informed of it and continue using the website. Should they change their mind, they can inform the website of their choice through a dedicated link or page.

However, some regions’ laws do not allow customers to be opted in by default. Websites must inform users of data collection and processing and ask for their explicit consent. A user who ignores these notifications is considered to be opted out.

Keeping Track of Your Privacy Responsibilities

The GDPR is far from the only law focused on customer privacy. Countries across the world have since adopted their own, many with obvious GDPR influence. In the absence of a federal US privacy law, multiple states are adopting or considering their own, and a federal law is expected to pass at some point. For business leaders, the takeaway is simple: they have an increasing number of intricately detailed privacy laws to follow as they use their customers’ data. Worse, even a minor violation could burden the company with significant fines.

Following updates to each law and ensuring ongoing compliance create enough work for a full-time job. Fortunately, there’s a better solution: 4Comply. This expertly designed framework keeps track of which customers have given consent for their data to be used, streamlines customer rights requests, and creates a meticulously detailed record for legal purposes. 4Comply is designed to help you stay compliant with current and future privacy laws. All the information you’ll need is at your fingertips!

Ready to up your privacy game? Contact us today to see how 4Comply can keep you on top of any privacy law.