Privacy, PII, Encryption, and Compliance

Personally identifiable information

PII is any data that can identify a specific individual: name, email, phone number, address, social security number, financial information, health information, biometric data, and IP addresses. Some PII is obviously sensitive (SSN, health records). Other PII becomes sensitive in combination (name + birthday + address).

If your business collects PII — and nearly every business does through forms, accounts, purchases, and email lists — you have obligations to protect it. These obligations exist regardless of your company size. A five-person company that loses customer data faces the same type of consequences as a large enterprise.

Know what PII your business collects, where it is stored, who has access, how long it is kept, and how it would be deleted if requested. This inventory is the foundation of privacy compliance and the first thing a regulator or auditor will ask for.

Encryption: in transit and at rest

Encryption in transit means data is protected while moving between systems — from a browser to a server, from one server to another, or from an app to an API. SSL/TLS (the padlock in your browser) is the most common form of encryption in transit. Any data transmission that crosses the internet should be encrypted in transit.

Encryption at rest means data is protected while stored — in a database, on a hard drive, or in cloud storage. Even if someone gains physical access to the storage, encrypted data is unreadable without the encryption key.

For business leaders, the key questions are: Is data encrypted in transit (does the connection use HTTPS)? Is data encrypted at rest (does the storage provider encrypt stored data)? Who controls the encryption keys? What encryption standards are used? These questions should be part of any vendor security evaluation.

GDPR, CCPA, and privacy obligations

GDPR (General Data Protection Regulation) is the European privacy law that affects any business that handles data of EU residents. It requires clear consent for data collection, the right for individuals to access and delete their data, breach notification within 72 hours, and documented data processing practices.

CCPA (California Consumer Privacy Act) gives California residents the right to know what personal information is collected, the right to delete it, the right to opt out of its sale, and protection against discrimination for exercising these rights. Similar laws exist or are emerging in many other US states.

Regardless of which specific regulations apply to your business, the practical requirements are similar: know what data you collect and why, have a privacy policy that explains your practices, honor deletion requests, protect the data you hold, and notify people if their data is compromised.

A privacy policy is not a legal technicality. It is a public commitment to how you handle data. It should be accurate, understandable, and actually reflect your practices. A privacy policy that says you do not share data while your marketing tools send data to third parties creates legal liability.