PII stands for Personally Identifiable Information, a term usually used to describe data that can be used to identify individuals in the context of a particular activity. This term is used in the US but not singly defined in any regulation, in contrast with PII being used in the EU in the GDPR data protection regulations. In both contexts, PII is used to classify information revealing a given user’s identity, either directly or indirectly.

From the legal standpoint, PII is of utmost importance to identify information susceptible to being compliant with data protection regulations. Therefore, this data needs to be treated with the required data governance policies for usage and retention and must be protected against data breaches and usage violations.

Examples of PII data are any information about individuals that is stored by companies or organizations which might include information that might be used to identify individuals are:

  • Names or contact details, initials, addresses, dates of birth, or biometric records.
  • Medical, educational, employment, or financial information.
  • Login details, IP details, MAC address, cookies.

The information that might be classified as PII is diverse and, in all cases, requires a case-by-case assessment to determine the specific risks associated. In a broader sense, PII data has two types:

  • Linked: Information that can be immediately used to identify individuals such as names, home, and email addresses, as well as identification numbers.
  • Linkable information: Information that can be aggregated to identify individuals indirectly. Examples of this information can be last names, geographical data, job employment data.

It is stated in GDPR that natural persons leave digital traces that can be associated with devices, internet protocol addresses, or other digital identification tags. Linkable information can be obtained from several sources. It is used to construct a detailed view of each individual’s digital traces and, ultimately, match digital entities with their real-life counterparts.

We can see that even in regulations, the definitions that are given for PII are vague and require, as mentioned before, case-to-case assessments to determine whether the information is PII and, if so, assess the level of sensitivity. Examples of these poorly defined terms can be considered the use of cookies and device IDS by ad services, which in some cases can be regarded as PII, and in others, they are not.

Satori logo2 white