The FTC has shown leadership on privacy and data security issues, bringing over 170 cases against many entities for committing unfair, deceptive, or fraudulent practices in 2016. The FTC’s efforts around privacy and security have often centered around protecting “personally-identifiable information” (PII) or “personal data,” terms that can apply to all information that can be reasonably linked to an individual, computer, or device. PII can include a wide range of information, from names and email addresses to personal photos and IP addresses. Indeed, the definition of PII varies across federal agencies, between federal and state government, and across different countries, and the definitions have continued to change to include different forms of data that would previously be considered “non-PII” over the last decade.
However, not all PII is the same. A better understanding of the different types of PII would help the FTC accurately identify consumer harms associated with each type of information and intervene more effectively while not impeding innovation. The purpose of these comments is to propose a typology for types of PII, informational injuries, and levels of data collection and use to help the FTC achieve this goal. Moreover, as we outline below, the conventional wisdom that restricting data sharing is the optimal way to prevent informational injury in most cases is simply incorrect. A more nuanced approached to preventing informational injury will allow the FTC to pursue better alternatives depending on the type of information at risk.