Personally identifiable information (PII) is one of the most central concepts in
information privacy regulation. The scope of privacy laws typically turns on
whether PII is involved. The basic assumption behind the applicable laws is that if
PII is not involved, then there can be no privacy harm. At the same time, there is no
uniform definition of PII in information privacy law. Moreover, computer science
has shown that in many circumstances non-PII can be linked to individuals, and
that de-identified data can be re-identified. PII and non-PII are thus not immutable
categories, and there is a risk that information deemed non-PII at one time can be
transformed into PII at a later juncture. Due to the malleable nature of what constitutes
PII, some commentators have even suggested that PII be abandoned as the
mechanism by which to define the boundaries of privacy law.
In this Article, we argue that although the current approaches to PII are flawed, the
concept of PII should not be abandoned. We develop a new approach called “PII
2.0,” which accounts for PII’s malleability. Based upon a standard rather than a
rule, PII 2.0 utilizes a continuum of risk of identification. PII 2.0 regulates information
that relates to either an “identified” or “identifiable” individual, and it establishes
different requirements for each category. To illustrate this theory, we use the
example of regulating behavioral marketing to adults and children. We show how
existing approaches to PII impede the effective regulation of behavioral marketing,
and how PII 2.0 would resolve these problems.
LawReview
