Date:

“We Don’t Collect Any Personally Identifiable Information”: A Word of Warning

We give a brief overview of why it is legally dangerous for EU businesses to rely on such statements.

You will frequently see comments similar to the one above on US websites and online services.

When the US talk about “personally identifiable information” or “PII” they are referring to information which actually identifies a human in the everyday sense of the word. For example, names, postal addresses, email addresses, phone numbers, and social media user names are PII.

US organisations such as Ghostery (the provider of a well-known Firefox plug-in on privacy issues) can therefore categorise “Cookie Data” as being “anonymous” because cookies don’t drive PII.

The PII definition is far narrower than the EU concept of “personal data” though.

To illustrate cookies and the information they drive are "personal data", and are not anonymous in the eyes of EU law.

So by all means read US privacy notices, disclaimers etc and think about the related privacy issues they raise (they will probably affect you and/or your business to some extent), but don’t take as read the legal position they set out. The EU position can be very, very different.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.