By Jay Cline, CIPP 

The privacy footprint is growing. From Sacramento to London and from Bonn to New Delhi, the definitions of personal data and sensitive personal data are expanding. For privacy offices and marketing departments, this means their 2011 agendas just got more crowded--and more intermingled.

What is "personal data"? Many organizations have been answering this question in their data-classification policies with a definition similar to this: Personal data is information that is associated with an individual's name. For these organizations, differentiating between personal data and non-personal data is important. Once data falls into the "personal data" category, use and disclosure restrictions often apply, rendering that data less usable. In the Information Age, data utility can make or break a business model.

"Data classification changes make yesterday's standard operating procedure a disallowed practice today," said Hayden Creque, head of Creque Law and formerly general counsel of software company W3i.

From anonymous to personal data

So it was no small development in March when the Supreme Court of California ruled in the case of Pineda vs Williams-Sonoma that zip codes were personal data. How did they reach that landmark conclusion? By determining that postal codes--when collected at the point of sale--could be used along with the payment information to obtain consumer addresses.

What's the impact of this development? California-based retail stores may no longer be able to easily ask for zip codes at the register in order to plan where to build new stores, for example. And gas stations may not be able to ask for zip codes at the pump to deter and detect fraud. Because of the economic importance of the California market, this ruling could also set a precedent for others.

Something more groundbreaking has been unfolding in Europe.  

Some EU member states have been defining IP addresses as personal data. Why? Because these addresses--which are numbers assigned to devices on a network in a geographical area--could be linked to individuals if other information is known about them, such as their Internet search patterns. In February, the data protection commissioner from the German state of Lower Saxony stated that IP addresses can't be shared with third parties without user consent. Last September, the Swiss Federal Supreme Court ruled that IP addresses are personal data subject to the country's data protection law. According to Linklaters, courts in Sweden, Spain and Austria have reached similar conclusions.

Moves are afoot to similarly redefine device and location data. A researcher in New Zealand last month discovered that gaming company OpenFeint had successfully used smartphone user IDs and location data obtained during application installations and connected them with Facebook user profiles. In April, two researchers published a report claiming Apple's iPhone inappropriately collected and stored user-location data. The rapidity with which the U.S. Senate convened hearings about how Apple and Google manage user location data has put device makers, application developers and marketers on notice that they must take extra precautions when collecting or using this type of data.

At the same time, a lawsuit filed last month in U.S. District Court in Puerto Rico claimed that Apple, Pandora Media, and The Weather Channel were inappropriately disclosing personal data--unique device identifiers (UDIDs) and the location of those devices--to third-party ad networks. The ease of connecting a device with a named person prompted the EU's Article 29 Working Party in May to release an opinion that defines devices' location-based data as personal data subject to the EU Data Protection Directive.

"Location data is certainly, in many instances, private data, and there then follows the obligations to inform users, and the opportunity to opt in or opt out," said European Data Protection Supervisor Peter Hustinx.

Why are these redefinitions important? The vast numbers of Internet and software companies that collect and share clickstream data and device data as if it were aggregated, non-personal data may now be faced with obtaining Web visitor and user consent for these practices. Performing what used to be routine marketing analytics may become exceedingly difficult if higher forms of consent such as explicit permission emerge as the norm.

From personal data to sensitive PII

Just as more non-personal data is becoming personal data, so too is more personal data becoming sensitive personal data subject to heightened security requirements. Two important developments occurred in April.

On April 1, Dallas-based Epsilon notified clients that it had suffered an unauthorized intrusion of its massive e-mail database. Although no information normally viewed as sensitive--such as credit card numbers, Social Security numbers or personal health information--was compromised, the incident highlighted the risk of spear phishing. Spear phishers use e-mail addresses from the same organization to first discover other information about those individuals and then to target them with fraudulent e-mails. To guard against this risk, companies are re-evaluating whether e-mail addresses should be upgraded to sensitive personal data.

On April 11, India released its long-awaited Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011.These new rules define sensitive personal information somewhat differently than either the EU or United States to include passwords; personal financial information; physical, physiological and mental-health conditions; sexual orientation; medical records and history, and biometric information.


What are the implications of these changes?

A larger privacy footprint means greater demand for privacy professionals. More types of data requiring more security measures and use controls means there is more to do for in-house privacy staff and the attorneys and consultants who support them.

These changes also mean there will be more occasions for the privacy and marketing departments to work together. Up until this point, privacy staff might have been most concerned with high-risk personal data such as credit card information, personal health information and government IDs. But many of the data types that are getting upgraded are those used by marketing departments, who will now need more assistance to keep their projects on track.

Creque believes that organizations that adopt a Privacy by Design methodology will be more successful at navigating these data-classification changes and avoiding inadvertent uses and disclosures of personal data.

Organizationally, we also might be starting to see the disappearance of separate network zones and policies for the most sensitive personal data. If the trend continues toward all personal data receiving a high-risk classification, this rising common denominator may become the driving force converging global privacy regulations.

Jay Cline is president of Minnesota Privacy Consultants, the winner of the 2010 Privacy Innovation Award for Small Organizations.

Read more by Jay Cline:



GMAC: Navigating EU approval for advanced biometrics

IBM's Privacy Strategy: Trust Enables Innovation

Privacy and the Pharma Chain of Trust

Xcel Energy: Building privacy into the smart grid

Creating a privacy gameplan for your social media strategy

Privacy Consent Glossary

Opt In Or Opt Out For Global Direct Marketing?

Ubiquitous Identification Series: Will Other Countries Join the Canadian Debate Over the Privacy of Public Records?

Best Buy: Using Privacy Awareness to Build Customer Centricity


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Are You Ready for the GDPR?

Check out the IAPP GDPR Readiness Assessment Powered by TRUSTe and find out where you stand when it comes to GDPR compliance.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

The IAPP Asia Privacy Forum Returns

Delivering inspired education and discussion on the top data protection issues of today, you can’t miss it. Register now.

P.S.R.: Lewinsky to Explore Online Shaming

With three stellar keynotes confirmed, incl. Monica Lewinsky, we’ve opened registration early so you can secure your spot now.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

It's Innovation Awards Time!

We're searching for today's privacy innovators. Sound like anyone you know? (Perhaps even you?) Tell us about it! We'll announce the winners at P.S.R.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»