The Privacy Supply Chain: Handling Sensitive PII
June 22, 2022
Governments worldwide are taking a hard look at how businesses handle individual consumers’ data. Despite a balkanized global landscape of emerging privacy regulations common themes have emerged, including the demand that businesses take greater care of Sensitive Personally Identifiable Information (Sensitive PII or SPII). While most regulations outline rules for handing any data that could reasonably be resolved to a single individual (PII) the most far-reaching new laws go further with SPII. These rules mandate special handling of SPII that are considered culturally, historically, or politically sensitive. To continue transacting on and with SPII consumer data, businesses need to take special care in handling, or avoiding, these data.
What are the rules of the road?
The European Union’s General Data Protection Regulation (GDPR) popularized SPII as an industry term and distinct category of data to operationalize separately. The GDPR Article 9 specifies information like an individual’s race, sexual orientation, trade union membership, genetic data, medical history, political affiliation, and precise location. Many subsequent privacy laws now include a similar SPII section. In fact, some jurisdictions have privacy requirements specific to some types of SPII, such as the Illinois Biometric Information Privacy Act, (BIPA) which define biometric data such as face, voice, and fingerprints as substantially more sensitive than other types of PII and must be handled differently. The definition of sensitive PII also varies globally–Japan’s Act on the Protection of Personal Information includes social class among other sensitive categories.
Businesses that wish to gather and use SPII data are subject to greater constraints, usually purpose-specific first party consent when it comes to justifying tthe collection and processing of SPII. Businesses that don’t need to use sensitive PII to provide their promised services should do their best to steer clear of gathering or holding any to avoid steep penalties. For many DaaS industry veterans, this is a bit of a new paradigm. As the regulatory landscape changes, some data product companies will find themselves on the wrong end of SPII.
What’s over the horizon?
Rules around sensitive PII will continue to evolve as a raft of new and amended domestic USA privacy laws come into effect in the coming year - and also if the ADPPA draft becomes law this year. Right now, most prominently, changes to the California Consumer Privacy Act go into effect next year that will reclassify all data collected about minors under age 18 as sensitive, requiring a “double opt-in” standard many companies could struggle to meet. New rules will also curtail the use of “dark patterns,” a form of deceptive UX design aimed at manipulating consumers. Given the size of California’s market, most businesses will conform to these standards rather than avoid doing business in the Golden State.
Other SPII changes are less certain, but still likely. Amended versions of state bills that didn’t pass in 2022 in as many as 22 states are likely to be reintroduced in the coming year if not federally preempted. Several bills (including the most recent draft of the American Data Privacy and Protection Act) called for treating behavioral (cookie) data as sensitive PII. Adoption would immediately alter the rules of play for targeted online advertising forcing many businesses to entirely rethink their strategy and ad tech stack. What is certain is that businesses, especially those selling globally, can expect to contend with a fragmented and possibly contradictory landscape of privacy rules with definitions of compliance changing by state and country. The best defense for most businesses will be a business model built to solve problems with compliant data, and partnerships with responsible, compliant data partners who are better positioned to navigate the fast-changing privacy map.
The PDL view on SPII
As a data provider focused on compliance, quality, and the success of our customers and their products, PDL made the decision years ago not to include any forms of sensitive PII in our data sourcing strategy. We recognize that sensitive PII can be an important tool in building certain types of valuable products, but we don’t believe you need it for the world-class professional and B2B data that we build.
As a result, PDL clients can be assured that none of the data they receive from us carries any risk of exposure under existing or upcoming SPII regulations. By self-regulating our business model, we give our customers the peace of mind to build with data without worrying about chasing down perhaps unattainable consent to solve for the risks of non-compliant SPII data.