Personally, Identifiable Information is a class of consumer data that, on its own, could potentially be used to identify an individual.
Personally Identifiable Information (PII) is a concept that has been used to define data that alone can be used to identify an individual. The idea has become prevalent as data collection has become more common via digital technologies.
The National Institute of Standards and Technology defines PII as:
Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).
No comprehensive list of personally identifiable attributes exists, but some are universally agreed on as PII:
- First & last name
- Physical address
- Email address
- Social Security number
- Passport number
- Phone number
In recent years several jurisdictions have begun to regulate the collection and usage of PII. Each law has its nuances, but generally, they have similar definitions for PII.
The laws governing PII are continually evolving and leave some room for interpretation as to what constitutes PII and what is non-PII data. Each organization's counsel and compliance organizations should set their internal policy as to the definition of PII and how it is handled internally.
General Data Protection Regulation (GDPR)
GDPR is a regulation that was enacted in 2016 and put into effect in 2018 that is focused on data collection and privacy in the European Union. The law is broadly seen as the most comprehensive privacy regulation, and it deals specifically with a quickly evolving digital landscape.
GDPR defines personal data as:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
California Consumer Protection Act (CCPA)
CCPA is a law that was put into effect on January 1st, 2020, by the state of California. It is regarded as the most comprehensive privacy law by any state government within the United States. It has been a model for how other states have thought about their privacy regulation.
CCPA defines personal information as:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Other laws and regulations exist that define PII, including:
- Australia's Privacy Act of 1988
- The UK Data Protection Act
- Switzerland's Federal Act on Data Protection
Organizations frequently would like to collect data without its associated PII. For many use cases, the PII itself doesn't provide any value and it only acts as a unique identifier for the data. In these use cases, companies often use pseudonymization techniques which allow them to collect the data without housing PII and while also not destroying the underlying value of the data. An example pseudonymization technique is the hashing of PII identifiers like email addresses.