How does Crobox define Personal Identifiable Information (PII)?
PII is defined as any information/data that can be used to uniquely identify a Data Subject within a database or data collection. Legally, this process is often referred to as “singling out” and specifically describes using PII to pinpoint any individual Data Subject within a dataset. Data that cannot be used to single out a Data Subject is, therefore, not considered PII.
PII is made up of “hard data points” such as (personal) names, email addresses, physical addresses, IP addresses, social security numbers, mugshots, avatars, and so forth. This type of data reveals the underlying Data Subject using a one-to-one relation.
It is important to note that while PII is not being explicitly processed, Crobox does work with Universally Unique Identifiers (UUIDs), which are computer-generated sequences of random characters that connect sessions to corresponding visitors. While UUIDs can theoretically be used to single out Data Subjects, it is often not considered PII because:
- The UUID uses complex logic to randomly generate a sequence of characters and numbers, making it very difficult to connect a specific Data Subject to a UUID.
- The UUID is never exposed to a visitor as it is stored in cookies. Without knowing a UUID, one can never pinpoint his or her own data.
- The UUID doesn't have any interpretation, meaning there is no distinction between any two given UUIDs.