If it can be traced to a natural person, it is PII. IP addresses are PII, ids are PII. It is in the name "Personally Identifiable Information." If it can be used to personally identify you, it's PII.
If you gave me this ID number, I could use it to locate your information in breached db dump, or if it is used in API requests, impersonate you.
It depends, but I was imagining a vulnerability where I authenticate to the API as myself, but use your ID. Or I sed my usage/diagnostic logs and replace my ID with yours. This might sound really boring, but as an example, I could send logs/activity as someone else, placing them at a scene of a crime that would show up in a subpoena.
I doubt this vulnerability exists, but these IDs (and any IDs by any company) should be guarded just like any other PII for exactly this sort of reason.
No, that's not the definition of PII. That the ID maps to a person doesn't mean they know that person's SSN, which is PII.
IP counts as metadata. It uniquely identifies you as an entity but does not reveal other details except geographic location. If IP addresses are PII, then any use of the internet is violating your privacy. Perhaps unplug your modem, turn off cell service on all devices and read a book instead.
That's literally the definition, it's in the name. If it can be used to personally identify you in any way, it's PII. Yes, IP addresses are PII and there's nothing that prevents you from storing PII for reasonable amounts of time (i.e., to process a packet, a purchase, or fulfill a contract). Where you get into trouble with various laws is when you store them for other purposes (such as in logs) and use them in ways they weren't intended (such as analytics) -- especially if you don't tell the person you're using it in that way. That last part is usually the basics of what is required. Not disclosing it is a sure way to find yourself in hot water, eventually. Most regulators don't seem to care atm, or are targeting big companies. I'm not a lawyer, but I've worked on software in this field, so take what I say with a grain of salt.
I think the point being made is that there are two classes of information: 1. That which helps distinguish a single human being as distinct from another. 2. That which provides you with some useful knowledge about that human being.
Knowing an IP address can distinguish user A from user B, but unless you know something else about A vs. B, what's the point?
Knowing an IP address is useless information, until you have a database linking IP addresses to geolocation. Knowing my address is useless information, until you have a map. Knowing my name is useless, until you have Google. Knowing my user id is useless, until you have a leaked database (or other vulnerability).
These are all PII, because they're useless until you have some other information, and then they deanonymize you.
There's a lot of confusion here. You need to read the GDPR carefully. The GDPR is the only source that explicitly mentions IP, and even they distinguish IP as "personal data", not "personally identifiable data." No other privacy legislation on the planet considers IP to represent any kind of PII.
I will reiterate my point. It is impossible to operate the internet or any other network where a server must distinguish between two or more client without some kind of identifier for session management. Just think about it.
I am literally face palming so hard right now. I also wish I'd seen this reply earlier.
The GDPR never mentions "personally identifiable data" as that is a US term. In the GDPR, it only says "personal data" which is the exact same thing according to the GDPR.
