The rise of the data economy has made personal consumer information – such as passport numbers, driver’s license details, and dates of birth – an integral part of everyday digital transactions, often entered alongside online payments.
Cybercriminals, meanwhile, have become increasingly sophisticated in how they monitor, steal, and exploit consumer data. Data breaches are no longer isolated incidents – they are a persistent and growing business risk. In 2024 alone, more than 3,100 data compromises were reported in the U.S., marking the second-highest year on record. Even more concerning, victim notifications surged to more than 1.7 billion, driven largely by a small number of massive “mega-breaches” exposing hundreds of millions of records at a time.
The financial and personal consequences of these breaches continue to escalate. According to IBM’s 2024 Cost of a Data Breach Report, the average global cost of a data breach reached $4.88 million, the highest figure ever recorded. And on the dark web, sensitive personal data remains extremely valuable: while a stolen credit card number may sell for under a few hundred dollars, full medical or identity records can command prices many times higher, making them a prime target for cybercriminals.
Once exposed, the misuse of personal data is virtually limitless, from identity theft and insurance fraud to fraudulent loans and long-term financial damage for affected individuals.
As the volume and value of personal data continue to grow, data privacy has become a fundamental business responsibility. Organizations are no longer judged solely on whether they can prevent breaches, but on how responsibly they collect, store, and protect sensitive information throughout its lifecycle. This shift has placed increased pressure on businesses to rethink how personal data is handled, safeguarded, and minimized, setting the stage for modern data privacy regulations around the world.
Data privacy regulations – GDPR and CCPA
Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two of the most well-known data privacy regulations. Enacted in 2018, GDPR’s goal is to protect the data and and privacy of EU citizens. Under GDPR law, businesses with procedures that handle personal data must be compliant with the proper safeguards to protect data (for example, using pseudonymization or full encryption where appropriate) and must use the highest possible privacy settings by default, so that the datasets are not publicly available without explicit, informed consent, and cannot be used to identify a subject without additional information (which must be stored separately). If businesses are not compliant and consumer data is exposed, they face steep fines.
GDPR was the first of the major privacy and protection laws to truly impact how companies globally collect, store, and protect consumer data, while also addressing the transfer of consumer data to businesses located outside of the EU.
Also introduced in 2018, the goal of the CCPA is to enhance consumer privacy rights and consumer data protection for California residents, and it is considered to be one of the most expansive set of state privacy laws in the U.S. Among its many stipulations, CCPA states that consumers will have the right to opt-out of personal data sharing, the right to “remain anonymous,” the right to have their personal data protected from theft, and the right to know how their personal data is being used.
While the U.S. does not yet have nationwide data privacy regulations in place – they are on the horizon with the American Data Privacy and Protection Act under draft legislation.
“Currently, there are 20 states – including California, Virginia, and Colorado, among others – that have comprehensive data privacy laws in place. Such laws generally apply across industries, with exceptions for certain data categories and entity types, and grant rights to individuals pertaining to the collection, use, and disclosure of their personal data by businesses.” Bloomberg Law
What information is defined as “sensitive” or “personal”?
Both GDPR and CCPA define personal information as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household including, but not limited to:
- A real name or alias, signature, or physical characteristics or description
- Postal address or telephone number
- Unique personal identifier, account name, online identifier Internet Protocol address, or email address
- Education and employment, including employment history
- Social security number, driver’s license number, state identification card number, passport number, or other similar identifiers
- Medical information or health insurance information
- Bank account number, credit/debit card number or any other financial information
It is important to note that GDPR maintains a much broader definition of “personal information,” which can even include attributes such as mental, cultural, or social identity. But the core differences between GDPR and CCPA involve the scope of the laws and the jurisdictional reach of both.
How does tokenization relate to PHI and PII protection?
As discussed in our previous blog, tokenization is the process of removing sensitive information from your internal system — where it’s vulnerable to hackers — and replacing it with a one-of-a-kind token that is unreadable. Usually, a random sequence of numbers and symbols, tokenization masks valuable card data, PII, PHI and banking information, rendering sensitive data useless, even if hackers manage to breach your system.
While data privacy regulations do not mandate the type of technology adopted to secure data, they both discuss pseudonymization and encryption as relevant data security measures.
- Pseudonymization encodes personal data with artificial identifiers such as a random alias or code. While pseudonymization is a “false” anonymization because the data can be linked back to a person, the personal identifiers are stored outside of the company’s system or network. These personal identifiers would be required to re-identify the data subject, thus making it a secure practice. Tokenization is an advanced form of pseudonymization.
- Encryption renders data unintelligible to those who are not authorized to access it. Data encryption translates data into another form, or code, so that only those with access to the decryption key can read it.
One reason for tokens’ increasing use for sensitive, personal information is that they are versatile – they can be engineered to preserve the length and format of the data that was tokenized. Tokens can also be generated to preserve specific parts of the original data values; by adapting to the formats of conventional databases and applications, tokens can eliminate the need to change the database scheme or business processes. Organizations can treat tokens as if they were the actual data strings.
What are the benefits of tokenization for data privacy?
By employing tokenization as part of their data security program, businesses can achieve a number of benefits:
Secures Data. Tokenization solutions have expanded beyond their original use in securing credit card information. They are now used to protect any industry that handles sensitive data, including social security numbers, birthdates, passport numbers, and account numbers – only accessing clear-text values when absolutely necessary.- No Storage Requirements. Tokenization systems remove sensitive data from a business system, replacing it with an undecipherable token. The original data is then stored, processed and transmitted in a secure cloud environment—separated from the business systems.
- Cloud-based tokenization. Vaultless tokenization solutions have made the implementation of tokens more accessible than ever before. A streamlined process maintains the highest levels of security while offering a seamless solution managed in the cloud.
- Meet Compliance and Regulations. Using tokenization, companies significantly reduce the amount of data collection they store internally, translating into a smaller data footprint, meaning fewer compliance requirements and faster audits.
How do I select a payment tokenization solution?
Many providers offer tokenization for payment security, but one of the biggest considerations is the type of system – vaulted or vaultless. Vaultless tokenization systems are capable of handling large amounts of data and do it at a faster pace – in other words, the system is much more scalable with reduced latency. These systems are also generally considered to be more secure than their vaulted counterparts.
Bluefin’s ShieldConex® offers a vaultless, cloud-based approach to tokenization, returning the tokenized data to the client for storage. With no limit to the amount of data that can be tokenized, ShieldConex secures all CHD while also providing tokenization for PII, PHI, and ACH account data entered online.
ShieldConex does not store any of the original data – it is always tokenized and returned to the client, mitigating any data sovereignty issues. Additionally, there is no vault to lead to performance issues, and de-tokenization requests are returned instantaneously to the client.
