Gathering Personal Information Disciplinely

Gathering personal information discreetly is an art that takes a lot of practice. Whether collecting personal information directly or indirectly, the goal is to avoid causing harm, embarrassment or inconvenience to the individual.


Depending on the circumstances, this may involve having to interview a subject or rely on a third party source. Alternatively, it may simply mean having to be careful about how information is gathered.

What is Personal Information?

Many privacy laws around the world have the same basic requirement: that personal information must be treated with care. What that entails differs across privacy laws, but the definition of personal information is generally very broad and includes any data that can be used to identify a specific individual.

For example, the California Consumer Privacy Protection Act (CCPA) defines personal information as any data that identifies or relates to a particular consumer or household, such as their real name, alias, postal address, unique personal identifier, online identifier, email address, account number, driver’s license or passport number, and other similar information. It also includes inferences drawn from personal information, like their shopping or purchasing history and tendencies, and their demographic characteristics.

Other states have passed stricter privacy laws, including Connecticut’s Data Protection Law and New Hampshire’s Data Privacy Act. These laws use very similar definitions to the CCPA.

Similarly, Canada’s Privacy Act includes any data that can be used to identify or describe an individual, regardless of whether the information itself is sensitive or not. Interestingly, the Personal Information Protection and Electronic Documents Act (PIPEDA) excludes some data that would be considered personal information in other countries, such as IP addresses or browser fingerprinting, which can reveal the specific devices used to access the internet. However, the PIPEDA does include a lot of other data that is likely to be considered personal in other countries, including biometric information and location tags.

What is Non-Sensitive Personal Information?

Nonsensitive personal information is data that can be easily gathered from public sources, including phone books, corporate directories and websites. It includes such information as zip code, date of birth and religion, and is less likely to cause harm if it is disclosed in a data breach.

Companies receive sensitive PII from a wide variety of sources, including customers, financial institutions, medical providers, credit bureaus, job applicants and other businesses. This information is stored in a variety of places, including file cabinets, laptops, home computers, mobile devices, flash drives and digital copiers. A business needs to conduct a thorough inventory of the data it holds by type and location in order to protect itself from a security incident.

Sensitive PII is more dangerous to disclose, as it could lead to identity theft, cyberstalking or discrimination in the case of sensitive categories such as race, ethnicity, religious beliefs, political opinions, sexual orientation and trade union membership. This data is typically given enhanced protection under different privacy laws across the globe.

Non-sensitive PII can be combined with other data to identify an individual, so it is important for entities to use pseudonymous technical identifiers when collecting such information. For example, Criteo uses pseudonymous technical identifiers linked to browsing events to identify individuals without the need for direct identification. This allows us to serve the right advertising to the right person at the right time, while still meeting data-protection obligations.

What is Sensitive Personal Information?

While not all personal data requires heightened security measures, certain information carries a greater risk of identity theft and other harms if exposed. These types of data are often referred to as sensitive personal information and different privacy laws place greater emphasis on protecting this type of data.

Generally speaking, sensitive PII includes any information that could be used to identify a person. This may include names, birthdays, addresses and phone numbers but it also extends to things like credit card details, social security numbers, passport information and driving licences. Government identification numbers, union membership and precise geolocation are also commonly considered sensitive PII although some privacy laws may not include these in their legal definition of SPI.

Privacy laws put extra emphasis on sensitive personal information because if the data is revealed it can lead to discrimination, harassment and other problems for the individual concerned. This is why it is important to conduct a full inventory of the information your business holds and make sure that you are aware of what categories of data are included in the SPI category. Then you can ensure that the information is handled in accordance with relevant law. This should be done by examining the file cabinets, computer systems and other storage devices as well as checking everything stored on employees’ home computers, flash drives and digital copiers.

What is Non-Non-Sensitive Non-Sensitive Personal Information?

Non-sensitive personal information is data that can identify a person but does not carry the same risk of a serious impact on privacy as PII. It’s typically publicly available, such as a full name, date of birth, address and telephone number. However, it is still important to have safeguards in place, like obfuscating and masking this information when sharing it with other companies. For example, an insurance company that shares its client’s PII with a marketing firm would encrypt and obfuscate this data to ensure it is received in a non-personally identifiable form.

Sensitive personal information is a subset of personal data that is more likely to be used in identity theft or other crimes. It includes personal data such as your social security number and credit card numbers. It also includes data identifying you with a certain race or ethnicity, religious or philosophical beliefs, political opinions, trade union membership or genetic information.

The definition of PII can vary depending on the privacy laws in your country and region, but it generally refers to any data that can be used to identify a single individual. This data can be direct identifiers, such as your name or email address, or it can be indirect identifiers, such as your date of birth or your zip code. When combined, this data can accurately pinpoint an individual.