Personally identifiable information (PII) is information that can be used to identify, contact, or locate an individual person. Also referred to as personal data or personal information, PII includes data such as name, address, email, phone, social security number, credit card number, banking information, date of birth, mother’s maiden name, etc. Organizations that collect PII must implement strong data governance practices to manage it responsibly.
You can separate PII into two categories:
- Sensitive PII: Personal information that can result in serious damage to an individual if lost or stolen. This type of PII must be secured and encrypted when transmitted, often using techniques like data masking.
- Non-sensitive PII: Personal information that can be obtained by publicly available sources such as race, zip code, gender, or date of birth. Non-sensitive PII cannot discern an individual’s identity (unless combined with sensitive PII) and does not need to be encrypted when transferred.
Privacy Regulations Protect PII
Many privacy regulations address how companies must collect and manage PII. The most well-known is the European Union’s (EU) GDPR (General Data Protection Regulation).
Other privacy regulations include CCPA (California Consumer Privacy Act), (PIPEDA) Canada’s Personal Information Protection and Electronic Documents Act, and (POPI) South Africa’s Protection of personal information. Every year, more regulations are coming into place, including additional US state privacy regulations. GDPR has been a guiding standard for many of the privacy laws coming into existence today as it’s one of the most stringent in terms of how companies capture, store, and use personal information and the penalties for non-compliance.
Each privacy legislation defines PII slightly differently and has different requirements for how PII is managed. For example, the GDPR also considers cookies and IP addresses PII, but other regulations do not. Also, CCPA does not apply to all companies; instead, focusing on companies that do business in California that hit a certain revenue level (along with other qualifiers). ’
More: International Data Privacy Laws and Regulations
Growing Concerns Over the Protection of PII
Although the proper security and protection of PII have been necessary for a long time, it’s only been in the last few years with the growth of digital experiences that data privacy has become a serious issue. As a result, consumers have become more concerned with why and how companies collect their personal information, what they are doing with it, and how they are keeping it safe.
The increase in cyber-attacks and data breaches grows every year, making identity resolution processes a particular concern, and millions of consumers have had their data stolen and misused. For example, global ransomware damage is predicted to exceed $265 billion by 2031. In addition, some companies sell their customer data, and it’s not always clear how that data is used and abused by the companies that buy it.
Managing Privacy and PII
Regardless of which privacy regulations a company has to adhere to, it’s critical to manage personally identifiable information (PII) securely. A customer data platform can help centralize PII management while maintaining compliance. To do this, companies have employed a Chief Privacy Officer and privacy teams to manage privacy processes. These processes include what information is collected and used, how PII is stored and protected, adherence to applicable privacy regulations like consent management, dealing with non-compliance issues, data breaches, etc.
FAQ
What is the difference between PII and sensitive PII?
Sensitive PII includes information that could cause serious harm if exposed, such as Social Security numbers, financial account details, medical records, and biometric data, requiring encryption in transit and at rest. Non-sensitive PII includes publicly available information like zip codes, gender, and race that alone cannot identify individuals. Sensitive PII demands stricter security controls and carries higher penalties for breaches.
Can IP addresses be considered PII?
Whether IP addresses qualify as PII depends on the regulation and context. GDPR considers IP addresses as personal data because they can potentially identify individuals, especially when combined with other information. US regulations like CCPA may classify IP addresses as personal information in certain contexts. The safest approach is to treat IP addresses as PII and apply appropriate privacy protections.
How long should companies retain PII?
Companies should retain PII only as long as necessary for the specific purpose it was collected, as required by regulations like GDPR. Retention periods vary by data type, business need, and legal requirements—some industries have minimum retention periods while privacy laws impose maximum limits. Implement a clear data retention policy with regular reviews to delete or anonymize PII when no longer needed.
Related Terms
- Data Clean Room — Enables privacy-safe data collaboration without exposing raw PII
- Cookieless Tracking — Alternative tracking methods that reduce reliance on PII collection
- Data Lifecycle Management — Governs PII retention, archival, and deletion policies
- Golden Record — The unified customer profile where PII is consolidated and managed