Paul M. Schwartz & Daniel J. Solove, The PII Problem: Privacy and a New Concept of Personally Identifiable Information
Comment by: Rick Kunkel
Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1909366
Workshop draft abstract:
Personally identifiable information (PII) is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. The basic assumption behind the applicable laws is that if PII is not involved, then there can be no privacy harm. At the same time, there is no uniform definition of PII in information privacy law. Moreover, computer science has shown that the very concept of PII can be highly malleable.
To demonstrate the policy implications of the failure of the current definitions of PII, this Article examines current practices of behavioral marketing. In their use of targeted technologies, companies direct offerings to specific consumers based on information collected about their characteristics, preferences, and behavior. Behavioral marketing has enormous implications for privacy, yet the present regulatory regime with PII as the cornerstone has proven incapable of an adequate response. Behavioral marketers are able to engage in their targeting practices without the use of what most laws consider to be PII. Despite this fact, behavioral marketing causes privacy problems that should be addressed. Other practices not involving PII as traditionally formulated also lead to problems. Since PII defines the scope of so much privacy regulation, the concept of PII must be rethought. In this Article, we argue that PII cannot be abandoned; the concept is essential as a way to define regulatory boundaries. Instead, we propose a new conception of PII, one that will be far more effective than current approaches.
This Article proceeds in four steps. First, we develop a typology of PII that shows three basic approaches in United States law to defining this term. As part of this typological work, the Article traces the historical development of the jurisprudence of PII and demonstrates that this term only became important in information privacy law in the late 1960s with the rise of the computer’s data processing. Second, we use behavioral marketing, with a special emphasis on food marketing to children, as a test case for demonstrating the severe flaws in the current definitions of PII. Third, we discuss broader policy concerns with PII as it is conceptualized today. Finally, this Article develops an approach to redefining PII based on the rule-standard dichotomy. Drawing on the law of the European Union, we propose a new concept of PII that protects information that relates either to an “identified” or “identifiable” person. We conclude by showing the merits of this new approach in the context of behavioral marketing and in meeting the other policy concerns with the current definitions of PII.