Personally Identifiable Information or “PII” as it is commonly referred to includes any information which may be used to uniquely identify, locate or contact a single person, either by itself or when combined with other sources.
As you might know from personal experience, some sellers request the buyer’s zip code when conducting a credit card transaction. But this can be considered a violation of law. In two recent decisions involving credit card transactions, zip codes were ruled to be PII based on state law.
On January 6, 2012 a Federal District Court in Massachusetts found that zip codes are PII under Mass. Gen. L. 93-105(a), which prohibits the collection of PII that is not required by a credit card issuer. Despite its finding, the Court dismissed the complaint because there was no cognizable injury to the plaintiff. Tyler v. Michaels Stores, Inc., 2012 WL 32208 (D. Mass.; Jan. 6, 2012). The California Supreme Court previously came to the same conclusion under Civil Code § 1747 et. seq.. Pineda v. Williams-Sonoma Stores, Inc., No. S178241 (Cal., Feb. 10, 2011).
Instinctively we view information such as an SSN or a phone number as Personally Identifiable Information (PII) because they are unique to one individual or a household. Whereas gender, a birth date, or a zip code alone seem relatively broad, applying to large numbers of people.
However, when two or more of these broader attributes are known, it is much easier to identify an individual. Thus, any one of these could be considered PII when combined with another.
In a 1997 experiment conducted by a computer science professor at Carnegie Melon University, the identity of an anonymous man, Mr. X, was found knowing only his gender, birth date, and zip code. Professor Latanya Sweeney was able to identify Mr. X because there is an 87% chance that these three attributes are not shared with another U.S. resident. In addition, she used a voter registration data source. What Information is Personally Identifiable?
Based on these decisions and Professor Sweeney’s experiment, seemingly broad attributes such as a zip code can lead to the identity of a single individual when combined with additional attributes. Combined, they are considered PII.