I’m not sure how it could be illegal. It definitely isn’t a good natural primary key (but then I’m firmly in the “natural PKs are harmful” camp anyway). And it’s certainly too easy to leak PII by using it as a PK. But I’m struggling to imagine a coherent legal structure which accepts collecting SSN data but mandates limits on how it can be used in a database schema.

Personally I am conflicted on this one.

On the one hand a ssn number(or any identifying number) should not need to be any more secret than the name it is replacing, your ssn should be able to be publicly available.

However, this is the real world and many people and institutions use the ssn as the sole source of identity, which means it needs to be kept secret.

Unfortunately, about 40 years ago, I was employed by a corporation in a capacity that required them to file documents identifying me by SSN to state regulators in several states, such documents being available for the public to inspect, not withstanding that I still have my original Social Security card, which says thereon quite clearly "Not for Identification."

The SSN does not have the attributes of a good permanent identifier of a unique person. If you get an SSN with three consecutive 6's in it, you can get it changed to another one not containing that string. Worse yet, the Social Security Administration has reserved the right to reuse the SSN's of persons deceased (IDK if they can or might do that without giving further notice). Furthermore, the US government talks as if there are two completely different kinds of numbers that each use 9 digits, and that they might overlap, ie use the same numbers for different entities; one being SSN's and ITINS, and the other EINS. However, the practice of the IRS and SSA has been to do their best to make sure that they do not overlap, at which the results have been as good as can be expected, but not perfect.

As many games have been lost by one card too many as by one card too few.