What does pii stand for

What is PII, non-PII, and personal data? [UPDATED]

Published October 21, 2020 · Updated April 13, 2021

Personally identifiable information (PII) and personal data are two classifications of data that often cause confusion for organizations that collect, store and analyze such data.

PII is used in the US but no single legal document defines it. The legal system in the United States is a blend of numerous federal and state laws and sector-specific regulations. They all define and classify different pieces of information under the PII umbrella.

On the other hand, personal data has one legal meaning, which is defined by the General Data Protection regulation (GDPR), accepted as law across the European Union (EU).

Both terms cover common ground, classifying information that could reveal an individual’s identity directly or indirectly.

But why is all that so important? As a website admin, app creator or product owner, you need to be aware that the traces visitors and users leave behind could be of a sensitive nature. These traces might enable you to identify individuals, so you need to handle such data with the utmost caution. From a legal standpoint, it could be a matter of breaches and violations with serious consequences. Grasping the bigger picture is crucial for your organization’s security and legal compliance.

What is personally identifiable information (PII)?

PII is often referenced by US government agencies and non-governmental organizations. Yet the US lacks one overriding law about PII, so your understanding of PII may differ depending on your particular situation.

It says that:

PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

However, the line between PII and other kinds of information is blurry. As stressed by the US General Services Administration, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.

What pieces of information are considered PII?

According to NIST, PII can be divided into two categories: linked and linkable information.

Linked information is more direct. It could include any personal detail that can be used to identify an individual, for instance:

*Of note!

NIST states that linked information can be “Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people”. That means cookies and device ID fall under the definition of PII.

Linkable information is indirect and on its own may not be able to identify a person, but when combined with another piece of information could identify, trace or locate a person.

Here are some examples of linkable information:

Learn how to protect PII, non-PII and personal data

Everything from the detailed definition of each to practical approaches to collecting and working with different types of data

What is non-PII?

Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person.Examples of non-PII include, but are not limited to:

However, the classification of PII and non-PII is vague. Moreover, NIST doesn’t reference cookie IDs and device IDs, so many AdTech companies, advertisers, and publishers consider them as non-PII. As we’ll see, this is in contrast to the definition of personal data, which treats such digital tackers as information that could identify an individual.

What is personal data?

Personal data is a legal term that the GDPR defines as the following:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

This definition applies not only to a person’s name and surname, but to details that could identify that person. That’s the case when, for instance, you’re able to identify a visitor returning to your website with the help of a cookie or login information.

Under the GDPR you can consider cookies as personal data because according to

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

And the definition of personal data covers various pieces of information such as:

Basically, it’s any information relating to an individual or identifiable person, directly or indirectly.

What is non-personal data?

Following the GDPR provisions, non-personal data is data that won’t let you identify an individual. The best example is anonymous data. According to

The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Other examples of non-personal data include, but are not limited to:

To learn more about data anonymization, read our other blog posts:

How PII differs from personal data

As we’ve already mentioned, in certain contexts the differences between these two types of data seem quite vague. If we need to draw a clear line here, then we would apply the legal framework and whom this data applies to.

Legal framework

All rules and responsibilities regarding personal data are set out by the GDPR, which aims to strengthen and unify data collection from EU residents. This also means that there is a more unified approach to enforcement, which has been steadily increasing since May 2018, when GDPR entered into force.

Source: enforcementtracker.com, provided by CMS Law.Tax

It’s much harder to define a single piece of legislation that controls PII because of the lack of a single federal law governing its use. However, among the various laws that do govern the collection and usage of PII, the most prominent are:

Furthermore, both governmental and non-governmental organizations regulate the proper use of PII, including:

Where rules on PII and personal data apply

Since personal data is strictly connected to the GDPR, it concerns all residents and citizens of the member states of the European Economic Area – the 28 Member States of the EU plus Iceland, Liechtenstein, and Norway. We’ll refer to this group as EU residents, for short.

Still, the scope of the GDPR is not really limited to the EU. It impacts not only EU-based entities, but virtually every business dealing with the data of EU residents.

By contrast, it’s much more difficult to determine the jurisdictions where PII is applicable.

Even in the US, where PII is certainly applicable, how it’s applied varies both from state to state and from sector to sector. Several legal documents and industry standards have their own opinion about what PII is.

As a result, determining who PII applies to and how is quite difficult.

Learn how to protect PII, non-PII and personal data

Everything from the detailed definition of each to practical approaches to collecting and working with different types of data

Staying up to date on data privacy regulations

The broad definitions of PII and personal data are evolving to cover more and more kinds of data. The differences between the two are also becoming less distinct. The legal requirements are getting stricter on both sides of the Atlantic.

Those changes will bring new challenges. For organizations of all kinds, this means taking a closer look at the data they collect and keeping up with the changing legal landscape to stay compliant.

We hope that our blog post has answered at least some of your questions regarding PII and personal data. But if you want to learn more, feel free to contact us anytime. Our experts will be happy to fill you in!

What does PII stand for?

What does PII mean? This page is about the various possible meanings of the acronym, abbreviation, shorthand or slang term: PII.

Personally identifiable information

Polaris Industries, Inc.

Pentium II microprocessor

Publisher Item Identifier

Public Interest Immunity

Pipeline Integrity International

Professional Innovations, Inc.

Printing Industry of Illinois/Indiana

Pork Industry Institute

Publishers Item Identifier

People International, Inc.

Pork Industry Institute, Texas Tech University

Program Image Inspector

Phillip Field, Fairbanks, Alaska

Professional Indemnity Insurance

Personally Identifying Information

Professional Investigators International

Peace Islands Institute

Personal Identity Information

Polaris Industries Inc

Privacy Identity Innovation

Permanency Innovations Initiative

Princeton in Ishikawa

Pharmaceutics International Inc

Popularity rank for the PII initials by frequency of use:

Couldn’t find the full form or full meaning of PII?

Maybe you were looking for one of these abbreviations:

Discuss these PII abbreviations with the community:

Report Comment

We’re doing our best to make sure our content is useful, accurate and safe.
If by any chance you spot an inappropriate comment while navigating through our website please use this form to let us know, and we’ll take care of it shortly.

Personally Identifiable Information (PII)

What Is Personally Identifiable Information (PII)?

Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual.

PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.

Key Takeaways

Understanding Personally Identifiable Information

Advancing technology platforms have changed the way businesses operate, governments legislate, and individuals relate. With digital tools like cell phones, the Internet, e-commerce, and social media, there has been an explosion in the supply of all kinds of data.

Big data, as it is called, is being collected, analyzed, and processed by businesses and shared with other companies. The wealth of information provided by big data has enabled companies to gain insight into how to better interact with customers.

However, the emergence of big data has also increased the number of data breaches and cyberattacks by entities who realize the value of this information. As a result, concerns have been raised over how companies handle the sensitive information of their consumers. Regulatory bodies are seeking new laws to protect the data of consumers, while users are looking for more anonymous ways to stay digital.

Sensitive vs. Non-Sensitive Personally Identifiable Information

Sensitive PII

Personally identifiable information (PII) can be sensitive or non-sensitive. Sensitive personal information includes legal statistics such as:

The above list is by no means exhaustive. Companies that share data about their clients normally use anonymization techniques to encrypt and obfuscate the PII, so it is received in a non-personally identifiable form. An insurance company that shares its clients’ information with a marketing company will mask the sensitive PII included in the data and leave only information related to the marketing company’s goal.

Non-Sensitive PII

Non-sensitive or indirect PII is easily accessible from public sources like phonebooks, the Internet, and corporate directories. Examples of non-sensitive or indirect PII include:

The above list contains quasi-identifiers and examples of non-sensitive information that can be released to the public. This type of information cannot be used alone to determine an individual’s identity.

However, non-sensitive information, although not delicate, is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual. De-anonymization and re-identification techniques tend to be successful when multiple sets of quasi-identifiers are pieced together and can be used to distinguish one person from another.

Regulating and safeguarding personally identifiable information (PII) will likely be a dominant issue for individuals, corporations, and governments in the years to come.

Safeguarding Personally Identifiable Information (PII)

Multiple data protection laws have been adopted by various countries to create guidelines for companies that gather, store, and share the personal information of clients. Some of the basic principles outlined by these laws state that some sensitive information should not be collected unless for extreme situations.

Also, regulatory guidelines stipulate that data should be deleted if no longer needed for its stated purpose, and personal information should not be shared with sources that cannot guarantee its protection.

Cybercriminals breach data systems to access PII, which is then sold to willing buyers in underground digital marketplaces. For example, in 2015, the IRS suffered a data breach leading to the theft of more than a hundred thousand taxpayers’ PII.

Using quasi-information stolen from multiple sources, the perpetrators were able to access an IRS website application by answering personal verification questions that should have been privy to the taxpayers only.

Safeguarding PII may not always be the sole responsibility of a service provider. In some cases, it may be shared with the individual.

How PII Is Stolen

Many thieves find PII of unsuspecting victims by digging through their trash for unopened mail. This can provide them with a person’s name and address. In some cases, it can also reveal information about their employment, banking relationships, or even their social security numbers.

Nowadays, the Internet has become a major vector for identity theft. Phishing and social engineering attacks use a deceptive-looking website or email to trick someone into revealing key information, such as their name, bank account numbers, passwords, or social security number. It is also possible to steal this information through deceptive phone calls or SMS messages.

Tips on Protecting PII

While it is not possible to fully protect yourself, you can make yourself a smaller target by reducing the opportunities to steal your PII. Experian, one of the top three credit agencies, lists several steps that you can take to reduce your surface area.

For example, a locked mailbox or PO box makes it harder for thieves to steal your mail and removing personal identification from junk mail and other documents makes it harder for identity thieves to associate a name with an address. Also, avoid carrying more PII than you need—there’s no reason to keep your social security card in your wallet.

Likewise, there are some steps you can take to prevent online identity theft. Data leaks are a major source of identity theft, so it is important to use a different, complex password for each online account. Always encrypt your important data, and use a password for each phone or device. It is also a good idea to reformat your hard drive whenever you sell or donate a computer.

Personally Identifiable Information Around the World

The definition of what comprises PII differs depending on where you live in the world. The following are the privacy regimes in specific jurisdictions:

United States

In the United States, the government defined «personally identifiable» in 2020 as anything that can «be used to distinguish or trace an individual’s identity» such as name, SSN, and biometrics information; either alone or with other identifiers such as date of birth or place of birth.

Europe

In the European Union (EU), the definition expands to include quasi-identifiers as outlined in the General Data Protection Regulation (GDPR) that went into effect in May 2018. The GDPR is a legal framework that sets rules for collecting and processing personal information for those residing in the EU.

Australia

Personal information is protected by the Privacy Act 1988. This law regulates the collection, storage, use, and disclosure of personal information, whether by the federal government or private entities. Later amendments regulate the use of healthcare identifiers and establish the obligations of entities that suffer from a data breach.

Canada

The Personal Information Protection and Electronic Documents Act regulates the use of personal information for commercial use. This is defined as information that on its own or combined with other data, can identify you as an individual.

Personally Identifiable Information vs. Personal Data

Personal data encompasses a broader range of contexts than PII. For instance, your IP address, device ID numbers, browser cookies, online aliases, or genetic data. Certain attributes such as religion, ethnicity, sexual orientation, or medical history may be classified as personal data but not personally identifiable information.

Example of Personally Identifiable Information

In early 2018, Facebook Inc. (META), now Meta, was embroiled in a major data breach. The profiles of 30 million Facebook users were collected without their consent by an outside company called Cambridge Analytica. Cambridge Analytica got its data from Facebook through a researcher who worked at the University of Cambridge. The researcher built a Facebook app that was a personality quiz. An app is a software application used on mobile devices and websites.

The app was designed to take the information from those who volunteered to give access to their data for the quiz. Unfortunately, the app collected not only the quiz takers’ data but, because of a loophole in Facebook’s system, was able also to collect data from the friends and family members of the quiz takers.

As a result, over 50 million Facebook users had their data exposed to Cambridge Analytica without their consent. Although Facebook banned the sale of their data, Cambridge Analytica turned around and sold the data to be used for political consulting. Mark Zuckerberg, Facebook founder and CEO, released a statement within the company’s Q1-2019 earnings release:

We are focused on building out our privacy-focused vision for the future of social networking and working collaboratively to address important issues around the Internet.

The following day, on April 25, 2019, Meta announced it was banning personality quizzes from its platform.

Companies will undoubtedly invest in ways to harvest data, such as personally identifiable information (PII), to offer products to consumers and maximize profits. Still, they will be met with more stringent regulations in the years to come.

What Qualifies as PII?

Personally identifiable information is defined by the U.S. government as:

“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

What Is Not PII?

Personal data is not classified as PII and non-personal data such as the company you work for, shared data, or anonymized data.

What Is a PII Violation?

PII violations are illegal, and often involve frauds such as identity theft. Violations may also stem from unauthorized access, use, or disclosure of PII. Failure to report a PII breach can also be a violation.

What Must You Do When Emailing PII?

Because email is not always secure, try to avoid emailing PII. If you must, use encryption or secure verification techniques.

What Laws Protect PII?

Various federal and state consumer protection laws protect PII and sanction its unauthorized use; for instance, the Federal Trade Commission Act and the Privacy Act of 1974.

The Bottom Line

Personal Identifying Information (PII) is any type of data that can be used to identify someone, from their name and address to their phone number, passport information, and social security numbers. This information is frequently a target for identity thieves, especially over the Internet. For that reason, it is essential for companies and government agencies to keep their databases secure.

Your introduction to personally identifiable information: What is PII?

It’s important to learn about personally identifiable information (PII) because of how it relates to data privacy. Identifiable information can be used for illegal purposes like identity theft and fraud.

So how can you protect yourself as an innocent web browser?

Or, if you’re a website owner – how do you protect users and your company from falling prey to privacy breaches?

As one of the most trusted analytics solutions, we feel our readers would benefit from being as informed as possible about data privacy issues and PII. Learn how you can keep yours or others’ information safe.

Table of Contents

What does PII stand for?

PII acronym

‘PII’ is an acronym for personally identifiable information.

PII definition

Personally identifiable information (PII) is defined as any information that can be used to identify a person’s identity. It’s a term primarily used in the US.

“The term ‘personally identifiable information’ refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

What can be considered personally identifiable information (PII)? Some PII examples:

What’s non-PII?

Who is affected by the exploitation of PII?

Anyone can be affected by the misuse of personal data. Websites can compromise your privacy by mishandling or illegally selling/sharing your data. This may lead to identity theft, account fraud and account takeovers. The fear is falling victim to such fraudulent activity.

PII can also be an issue when employees can access databases where the data is not encrypted. For example, anyone working in a bank can access your accounts; and anyone working at Facebook can read your messages. This shows how privacy breaches can easily happen when employees have access to PII.

Website owner’s responsibility for data privacy (PII and analytics)

If you’re using a web analytics tool like Google Analytics or Matomo, best practise is to not collect PII if possible. This is to better respect your website visitor’s privacy.

If you work in an industry which needs people to share personal information (e.g. healthcare, security industries, public sector), then you must collect and handle this data securely.

The US National Institute of Standards and Technology states: “The likelihood of harm caused by a breach involving PII is greatly reduced if an organisation minimises the amount of PII it uses, collects, and stores. For example, an organisation should only request PII in a new form if the PII is absolutely necessary.”

How you’re held accountable remains up to the privacy laws of the country you’re doing business in. Make sure you are fully aware of these privacy and data protection laws that relate specifically to you.

To reduce the risk of privacy breaches, try collecting as little PII as you can; purging it as soon as you can; and making sure your IT security is updated and protected against security threats.

With data collection tools like web analytics, data may be tracked through features like User ID, custom variables, and custom dimensions. Sometimes they are also harder to identify when they are present, for example, in page URLs, page titles, or referrers URLs. So make sure you’re optimising your web analytics tools’ settings to ensure you’re asking your users for consent and respecting users’ privacy.

PII, GDPR and businesses in the US/EU

You may get confused when considering PII and GDPR (which applies in the EU). The General Data Protection Regulation (GDPR) gives people in the EU more rights over “personal data” – which covers more identifiers than PII (more on PII vs personal data below). GDPR restricts the collection and processing of personal data so businesses need to handle this personal data carefully.

According to the GDPR, you can be fined up to 4% of their yearly revenue for data/privacy breaches or non-compliance.

To be on the safe side, if you’re using analytics, follow matters relating to “personal data” in the GDPR. It covers more when it comes to protecting user privacy. GDPR rules still apply whenever an EU citizen visits any non EU site (that processes personal data).

Personally identifiable information (PII) vs personal data

The definition of “personal data” according to the GDPR:

The everything guide to PII: What does it know? Does it know things? Let’s find out.

by Olivia Marlowe-Giovetti

No, we didn’t misspell pi (or pie, mmm). PII stands for “Personally Identifiable Information” and this kind of information is something that your Google Analytics property could be recording right at this very moment. You want to gain insight as to who is interacting with your website, but using PII is not the way to go about doing it, and in fact it can get you into trouble with Google if they catch wise.
🎶Gonna make a PII… 🎶 How to avoid collecting personally identifiable information on your website. Click To Tweet
Fortunately, while PII is a big deal, it’s also an easily resolvable one. Here’s what it’s all about.

What is Personally Identifiable Information?

A number of factors can be constituted as PII. Personally Identifiable Information includes a user’s name, their social security number, email address, data identifying a particular device (like a mobile phone’s serial number), or any similar data in this vein.
It’s important to note that the U.S. General Services Administration doesn’t restrict the definition of “PII” to any specific category of information or technology. In the GSA’s Privacy Act, they refer to this information as:

“[Anything] that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.… In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”

Yes, you are able to collect much of this data from users, but they have to enter it willingly and the information cannot be encoded into any transmittable data.

What does that mean for my website?

One of the more common ways that PII is stored is in Google Analytics. Per the GA terms of service:

“You will not and will not assist or permit any third party to, pass information to Google that Google could use or recognize as personally identifiable information.”

If Google detects that PII is being sent and/or stored, they will terminate your account and destroy your data. Depending on the breach and your location in the world, you could also be looking at fines and misdemeanors. Check with your legal department or an attorney to know what laws are specific to your country and/or territory.

But what if I don’t know that my website is collecting PII?

That’s why you should check! PII can be spotted in Google Analytics and may come up as events if users are signing up with their email addresses, or it can manifest in URLs (such as unsubscribe URLs).
An ounce of prevention is worth a pound of cure here: Make sure the configurations being set up in your Google Analytics are never collecting PII. In auditing your GA account, you should also be aware of the ways that PII can be collected. Make it a monthly practice to check for these canaries in the coal mine.
How to be your own canary in the coal mine when it comes to collecting PII in Google Analytics. Click To Tweet

How do I know if my website is collecting PII?

What do I do if I find PII?

Act immediately. If your website is collecting PII, this is a top priority to address. Work with your developer to stop collecting PII through the website. From there, strip the query parameters in Google Tag Manager to remove PII on that end.
Next, back up your account data with an export. From there, create a new view by copying the existing view to make sure it is PII-free going forward.

What does Google say?

You will also love

1288 Coney Island Ave.
#300459 Brooklyn, NY
11230

© 2022 Whole Whale • Built in Brooklyn • Hire us
Privacy Policy