Personally identifiable information (PII) is any piece of sensitive information↗ that can be used to uniquely identify an individual, either directly or indirectly. In the US, PII protection isn’t regulated by just one federal law. Rather, there are miscellaneous federal and state laws, industry self-regulatory programs, common law principles, and sector-specific regulations. For example, consumer protection laws such as the Federal Trade Commission Act↗ (FTC Act) make it illegal to collect, use, process, or share PII in an unfair or deceptive way. In addition, each state enforces its own privacy and data security laws to protect PII. The scope and duties of these laws vary.
Fines for PII Violations
Breaching PII often leads to frauds like identity theft. Violations of confidential and sensitive information↗ also happen when:
- PII is accessed, used, or shared without permission, whether physical or electronic.
- There is a failure to report a PII breach.
- An employee or agency deliberately distributes personal information to any person or agency not authorized to receive it.
- Anyone requests or obtains an individual's record from an agency under false pretenses.
Those charged with mishandling PII may face civil penalties from payment of damages and legal fees to disciplinary actions, e.g., job termination or criminal prosecution. Violators can face criminal sanctions↗ ranging from a $5,000 fine to misdemeanor criminal charges. To avoid violations, all organizations dealing with PII should adhere to the best security practices for protecting PII↗. This includes installing firewall and antivirus software and enforcing an eCommerce privacy policy↗.
How to Report a PII Violation
Visit the FTC website and navigate to their identity theft page↗. If you want to report a scam or fraud incident, head on to the FTC fraud page↗.
PII Violations in eCommerce: Where Most Brands Get It Wrong
Your eCommerce platform collects PII every single day—email addresses, shipping addresses, payment information, phone numbers. But many mid-market brands don't realize they're violating privacy laws simply by collecting or storing this data without proper consent.
The most common mistake? Assuming that because a customer buys from you, you can use their data however you want. That's not how it works. You need explicit consent before you:
- Add them to your email marketing list (CASL and CAN-SPAM require this)
- Track their behavior with pixels (Meta Pixel, Google Analytics) after they leave your site
- Share their data with third-party apps (Klaviyo, Gorgias, inventory tools)
- Retain their information longer than necessary
If you're running Shopify or BigCommerce, your platform collects PII on your behalf—which means you're liable if that data is mishandled. Many brands assume Shopify's security is enough. It's not. You still need to manage consent, document data flows, and honor customer rights to deletion.
The FTC has been aggressive with eCommerce enforcement lately. They're not just targeting massive retailers—mid-market DTC brands are in scope. A single complaint from a customer who didn't consent to email marketing, or who submitted a data subject access request (DSAR) and you ignored it, can trigger an investigation. Fines start at thousands of dollars and climb quickly once legal fees enter the picture.
The safest approach: assume every piece of PII requires consent, document that consent, and make it easy for customers to opt out or request deletion. This isn't just compliance—it's good business.
State Privacy Laws: Your Compliance Checklist
The US doesn't have a single federal privacy law like GDPR. Instead, you're juggling multiple state regimes, and the rules change depending on where your customers live.
California's CCPA (and its stricter successor, CPRA) applies to any brand with California customers if you meet the threshold: $25 million in revenue, buy/sell personal info of 100,000+ people, or derive 50%+ of revenue from selling customer data. Most eCommerce brands hit one of these triggers.
Colorado, Connecticut, Utah, and Virginia have similar laws (often called "CPRA lite"). More states are passing privacy laws every year. Each one gives customers the right to:
- Know what PII you collect and why
- Delete their data
- Opt out of data sales or targeted advertising
- Correct inaccurate information
For your Shopify or BigCommerce store, this means:
- Your privacy policy must list every data processor (payment gateway, email provider, analytics tool)
- You need a process to handle deletion requests within the state's deadline (usually 45 days)
- You must honor opt-out requests for marketing and behavioral tracking
- You need to track consent—not just assume it
The penalty structure varies by state, but violations can cost $100–$7,500 per customer per incident. If you have 10,000 customers in California and you mishandled 500 DSARs, you're looking at six-figure exposure.
Start by mapping where your customers live. Then audit which state laws apply to your business. Don't wait until you're audited.
Payment Card Industry (PCI) Compliance: Beyond PII
If your store processes credit cards directly (or stores card data), you're also subject to PCI DSS—a separate compliance standard that overlaps with PII protection but has its own teeth.
PCI DSS requires you to:
- Encrypt card data in transit and at rest
- Never store full card numbers after a transaction
- Use tokenization or a PCI-compliant payment processor
- Audit access logs and monitor for suspicious activity
Most Shopify and BigCommerce stores are not PCI-compliant themselves because they use hosted payment forms or third-party gateways (Stripe, Square, PayPal). Those processors handle compliance for you. But if you're capturing card data in any other way—custom integrations, spreadsheets, email—you're opening yourself to both PCI fines and PII liability.
A PCI violation can result in penalties of $5,000–$100,000 per month until you're compliant. Your payment processor can also terminate your account.
The practical takeaway: never store raw payment data. Always use a PCI-compliant processor or tokenization service. Document this decision in your privacy policy so customers know their card data is protected.
What Happens After You're Caught: Investigation and Remediation
If a customer files a complaint with their state's Attorney General or the FTC, you'll likely receive a civil investigative demand (CID)—a formal request for all documents related to your data practices.
This is where many brands panic. You'll need to produce:
- Your privacy policy and all versions you've published
- Consent records (if you kept them)
- Data processing agreements with vendors
- Security audit reports
- Customer communication about data retention
- Any breach notification emails you've sent
If you don't have these documents, regulators interpret that as evidence of negligence. Your lack of documentation is a violation.
Once the agency investigates, you may face a settlement agreement that requires you to:
- Overhaul your privacy policy
- Implement third-party security audits
- Create a data governance program
- Pay civil penalties and customer restitution
- Submit to monitoring for 10+ years
The total cost—legal fees, remediation, settlements, monitoring—often exceeds $500,000 for mid-market brands. That's why prevention is infinitely cheaper than defense.
The best defense is a system. You need clear consent flows, documented data inventories, audit trails, and a process to honor customer requests when they come in. Without automation, you'll lose track of who consented to what, and enforcement agencies will notice.