In prescriptive data privacy regimes such as the US federal Health Insurance Portability and Accountability Act (HIPAA), PII items have been specifically defined.
The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB),[12] and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122).
[13] The OMB memorandum defines PII as follows: Information that can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc.
alone, or when combined with other personal or recognizing linked or linkable information, such as date and place of birth, as well as the mother's maiden name, in official standards like the NIST Guide, demonstrates a proactive approach to ensuring robust privacy safeguards amid the dynamic landscape of data security.
For example, the name "John Smith" has no meaning in the current context and is therefore not SB1386 "personal information", but it is PII.
[12][full citation needed] When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old white male who works at Target".
It has been shown that, in 1990, 87% of the population of the United States could be uniquely identified by gender, ZIP code, and full date of birth.
[18] In hacker and Internet slang, the practice of finding and releasing such information is called "doxing".
In particular, online behavioral advertising businesses based in the US but surreptitiously collecting information from people in other countries in the form of cookies, bugs, trackers and the like may find that their preference to avoid the implications of wanting to build a psychographic profile of a particular person using the rubric of 'we don't collect personal information' may find that this does not make sense under a broader definition like that in the Australian Privacy Act.
§ 552a, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.
The U.S. Senate proposed the Privacy Act of 2005, which attempted to strictly limit the display, purchase, or sale of PII without the person's consent.
U.S. lawmakers have paid special attention to the social security number because it can be easily used to commit identity theft.
Additional U.S.-specific personally identifiable information[32] includes, but is not limited to, I-94 records, Medicaid ID numbers, and Internal Revenue Service (I.R.S.)
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a non-regulatory agency of the United States Department of Commerce.
Criminals may go to great trouble to avoid leaving any PII,[citation needed] such as by: Personal data is a key component of online identity and can be exploited by individuals.
[43] Another category can be referred to as financial identity theft,[44] which usually entails bank account and credit card information being stolen, and then being used or sold.
[50][51] During the second half of the 20th century, the digital revolution introduced "privacy economics", or the trade of personal data.
In relation to companies, consumers often have "imperfect information regarding when their data is collected, with what purposes, and with what consequences".
Sources, usually Internet-based since the 1990s, may include census and electoral roll records, social networking sites, court reports and purchase histories.