Privacy & Security

PII vs. NPI: A Guide to Types of Sensitive Consumer Data

Businesses that collect and handle personally identifiable information and other sensitive data must understand their obligations ahead of upcoming changes.


Despite being passed in 2018, California first used the state’s Consumer Data Privacy Act to enforce penalties on a violating company in 2022. In September, the personal care and beauty retailer, Sephora settled for $1.2 million in fines with the state’s attorney general over charges that the company illegally sold customer data to third-party ad servers and failed to honor customers’ opt-out requests.

Similarly, the Federal Trade Commission (FTC) hit Uber’s subsidiary, Drizly earlier this month with restrictive penalties for failures to fix known vulnerabilities that precipitated a breach of 2.5 million customer records. The FTC is already poised to take more aggressive action over consumer data privacy violations when the Commission’s updated Safeguards Rule goes into effect in June, 2023 (note that this deadline was extended by six months in November, 2022; the original date that this would go into effect was December 9, 2022).

Businesses that collect and handle different types of potentially sensitive consumer data, such as personally identifiable information (PII) and nonpublic personal information (NPI), must understand their regulatory obligations for different kinds of personal information and prepare for impending changes.

In this brief guide, we’ll cover three major types of consumer data and how to handle them.

Personally Identifiable Information (PII)

PII refers to any kind of data a third party could use to identify a specific individual. This definition extends to any information – either a single data point or a conclusion drawn from an aggregate of multiple data points – that would suffice to distinguish one individual from another or otherwise deanonymize an individual.

Organizations that collect PII for business purposes must protect it to prevent financial crimes against themselves and their customers. Exposure of PII gives malicious actors the tools to perpetrate fraud, identity theft, money laundering, and other serious federal crimes.

In the U.S., the General Services Administration (GSA) defines and regulates PII. The GSA’s Rules of Behavior for Handling Personally Identifiable Information stipulate that any information that could “distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information,” constitutes PII. The GSA does not enumerate a definitive list of PII data types as changes in technology render the definition somewhat fluid.

Single-point types of PII typically include:

  •   Personal names
  •   Home addresses
  •   Email addresses
  •   Telephone numbers
  •   Dates of birth
  •   Passport numbers
  •   Driver’s license numbers
  •   Fingerprints
  •   Social security numbers
  •   Credit or debit card numbers

Potential multipoint PII may involve:

  •   Places of birth
  •   Business phone numbers or email addresses
  •   Demographic Data, such as race, ethnicity, or religion

Financial institutions typically collect PII when verifying an individual’s identity in their KYC processes. Businesses also do this when creating customer accounts for recurring payments or establishing multifactor authentication.

Nonpublic Personal Information (NPI)

NPI is a subset of PII, as defined in the Gramm-Leach-Bliley Act (GLBA). NPI applies to PII financial institutions collect when performing a financial service on behalf of a customer. This excludes information known to be publicly accessible in federal, state, or local records and information previously disclosed by the media. As such, NPI varies from customer to customer and does not fit a fixed list of data types.

In the U.S., the primary regulatory control concerning the use and handling of NPI is the FTC’s Safeguards Rule.

Sensitive Personal Information (SPI)

SPI, also known as sensitive personal data, is a general term in cybersecurity and information security. The U.S. law does not contain any specific definition of the term or regulation of the information type. However, the E.U.’s General Data Privacy Regulation (GDPR) distinguishes personal information from sensitive personal information (SPI).

In the GDPR, personal information comprises any information that identifies a specific individual. SPI is a subset of data that may expose an individual to adverse treatment by other individuals, companies, or any kind of socio-political group. These include:

  •   Political opinions or affiliations
  •   Ethnic or racial origins
  •   Religious or philosophical beliefs
  •   Trade union memberships
  •   Genetic or biometric data

To ensure that SPI cannot be linked to PII, NPI, or other customer data types, the GDPR mandates that organizations that collect and store this type of data quarantine SPI from other types of personal information in their storage architecture.

Identify & Safeguard Your Client Information

FileInvite’s secure, SOC 2 Type 2 compliant file sharing and document portal platform provides financial institutions and other regulated industries with a powerful tool to protect consumer data privacy and comply with national and international regulations. 

Eliminating the need to rely on email for the exchange of sensitive client information through automated 256-bit encryption for file storage and transmission, FileInvite streamlines document collection processes while providing both you and your clients enhanced data security protections.

Start your free trial of FileInvite today.

Free Guide - 3 Ways to Protect Your Clients' Personally Identifiable Information

Related Posts:

Similar posts

Gather all the documents, signatures, and data you require up to 80% faster.

Eliminate the monotony of back-and-forth emails and inefficient systems when gathering client information. Get hours back each week as FileInvite handles the most time-consuming work for you.

Get started in as little as 5 minutes.

Stay in-the-loop. Subscribe here to receive the latest from FileInvite.