Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?

A key tenet of forensics is that “every contact leaves a trace.” Few people today are fully aware of how many traces of personal information they leave every day. Some of this information is generic or anonymous, but much more of it can imply or reveal identity than many people realize.

Those identifying details are Personally Identifiable Information (PII), which is the key element in privacy policies, data protection frameworks, government regulations, and a variety of tech crimes. The more PII we produce, the more complex keeping it safe becomes.

Adding to the complexity, “personal data”, another commonly used term, is not the same as “Personally Identifiable Information”. Collectors, users, and buyers of information, from private companies to charities to governments, have ever-changing responsibilities to correctly categorize and protect information that they request, use, store, sell, or report on.

Personally Identifiable Information (PII) consists of information that, on its own or combined with a limited amount of other data, can be used to identify a person. Organizations have a responsibility to secure and use legally all information they collect from users or customers. However, some types of information are considered more sensitive than others. 

The term “Personally Identifiable Information” is commonly used across organizations and industries, particularly in the United States. However, while it is used by both government and non-governmental agencies, its meaning can vary, and it is not a legal term or definition. 

PII that can be directly tied to a person’s identity, like first and last name or credit card number, is also referred to as sensitive Personally Identifiable Information, or linked data. This is because this information is directly or almost directly linked to, and can reveal, an individual’s identity.

More importantly, though, such information is sensitive because of the potential harm its misuse could do to a person. This ranges from public embarrassment to criminal victimization, if the information is lost, stolen, or disclosed without authorization. 

Some examples of linked/sensitive PII:

• first and last name
• home address
• email address
• telephone number
• passport number
• driver’s license number
• Social Security Number
• photo of a face
• credit card number 
• account username
• fingerprints
• financial records
• medical records

However, despite the wide variety and sensitivity of such information, there is not a single, global definition of Personally Identifiable Information or what types of information it encompasses. As a result, definitions of PII can differ among organizations and across borders.

This kind of information is also referred to as linkable data, because it requires more data elements to be linked together to establish an individual’s identity. Whereas sensitive PII can reveal identity on its own or with very limited combined information sources.

Some examples of linkable or non-sensitive PII:

• first or last name (if it’s common)
• mother’s maiden name
• partial address, like a country or zip code
• age range, e.g. 35-44
• date of birth
• gender
• employer

When creating an account on a website, email addresses or chosen usernames would be PII. An account password would also be PII, but would need to be linked to the email addresses or other linked data to reveal identity. A Consent Management Platform (CMP) helps harmonize website-based marketing, data management, and legal requirements.

If a person makes an online purchase, all the information they would be asked to provide is PII, including first and last name, company, shipping/billing address, email address, phone number, and credit card number. 

This is not all the information generated by such a transaction, however. Depending on the purchase, the item’s serial number could become PII. Cookies saved in the browser as they were perusing websites would be PII. As would the customer’s location based on their IP address. If the site was not secure, using an SSL certificate and displaying “https” in the site’s URL, all the information could also be at risk of unauthorized access.

Non-Personally Identifiable Information is data about a person, or data resulting from their activities, that on its own cannot be used to identify someone. This could be because the information is already anonymous and part of a larger data set, or because it has been anonymized.

Some examples of non-Personally Identifiable Information:

• IP addresses that have been fully or partially masked
• aggregated statistics from the user base for a product or service
• data that has been anonymized by encryption, removal of identifying information, or other technique

Some organizations consider cookie IDs and device IDs to be non-PII, while others do consider that information identifiable. 

Some countries use “personal data” or “personal information”  instead of “Personally Identifiable Information” when referring to types of information that may identify a person. 

In the United States, the Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). published by the National Institute of Standards and Technology (NIST), provides the most widely used definition of PII:

“PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

The United States and Canada are two countries that have both federal and state/provincial privacy regulations. In the US, California has among the strongest state-level regulations, with the California Consumer Privacy Act (CCPA). It defines and regulates categories, sources, and uses of personal information for people. California will also have the California Privacy Rights Act (CPRA) when it comes into effect in 2023.

Definitions of what constitutes PII and how it must be collected, secured, used, distributed, and destroyed vary widely outside of the European Union (EU). The EU’s GDPR has the broadest reach, as it is applicable to all EU member states; Iceland, Liechtenstein, and Norway; and EU trading partners. 

Some countries have their own national regulations that are based on the GDPR or designed to be compliant with it, with detailed definitions of personal data and citizens’ rights. Other countries, like the United Kingdom with the Data Protection Act 2018, largely implemented the GDPR. 

The UK is in an interesting position, as they were an EU member state when both the GDPR and their Data Protection Act came into effect, but they have since left the EU and are an external trading partner now, and so must comply with rather than enforce GDPR. Learn more about post-Brexit impacts on data transfer.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA), was designed with GDPR in mind. It regulates collection, use, and disclosure of personal information for private sector organizations and their commercial activities. Canada also has a Privacy Act, which regulates citizens’ interactions with the federal government.

GDPR compliance is required of organizations that EU citizens and companies engage with, even if they’re not located in the EU, which makes the GDPR influential in the development and enforcement of other companies and countries’ policies.

“Personal data” as outlined in the General Data Protection Regulation (GDPR) is a legal term, defined as:

“…any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

The GDPR also provides specific examples of both linked and linkable personal data. Examples of linked personal data include name, email address, personal identification numbers, and other standard types of information. Examples of linkable personal data include things like date or place of birth, race, or gender.

The GDPR does also reference Personally Identifiable Information, specifically non-PII that is still classified as personal data under GDPR. The classification depends on the specific details and possible anonymization of the information. 

Relevant data types include device IDs, browser cookies, Internet Protocol addresses (IP addresses), Media Access Control (MAC) addresses, International Mobile Equipment Identity (IMEI) numbers, and some other examples previously referenced.

The GDPR classifies certain types of information as sensitive data, which is subject to specifically defined processing conditions. As aforementioned, sensitive data includes information that could cause harm to an individual if used for identification and malicious purposes.

Some examples of sensitive data under GDPR:

• racial or ethnic origin
• political opinions
• religious beliefs
• genetic data
• sexual orientation or activities

Non-personal data is also defined in the GDPR, most simply as information that does not enable identification of an individual. More specifically, it outlines that such data may have been anonymized, or may never have been sensitive to begin with.

“The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.”

Non-personal data includes the same kinds of information as that which is categorized as non-sensitive Personally Identifiable Information outside of the EU and the GDPR.

Some examples of non-personal data under the GDPR:

• an age range, e.g. 35-44
• census data 
• aggregated statistics on product or service use
• Internet Protocol addresses (IP addresses) that are partially or fully masked

The responsibility for safeguarding PII can lie with the organization collecting and storing the information, and also with individuals whose data it is. A PII violation can occur when an entity fails to comply with all applicable regulations. 

A company, for example, must protect customer data to the standards set by their corporate privacy and security policies. But they must also meet the standards of local state and federal governments and trading partners to avoid PII violations.

PII violations can take several forms, depending on what kind of data breaches or mishandling occurred, the types of information compromised, and who and how many victims there were. For example, theft and sale of PII can be more harmful than loss or corruption of that data. 

PII violations can include data breaches where millions of detailed records are stolen. They can also include lower level breaches, like companies not adequately limiting access to and sharing of data between internal departments, or with contractors. Or organizations may not adequately anonymize data before providing it to customers, partners, or researchers.

Identity theft is a common form of PII violation. Unauthorized access to sensitive PII can provide bad actors with access to individuals’ accounts, banking, health information, and more. This information can be used for everything from fraudulent purchases with stolen credit card numbers to human trafficking with stolen passport information.

PII violations can take place online as well as in physical spaces. An organization can have excellent digital data security, but have offices with open recycling bins where people could discard sensitive paper documents. Computer equipment or phones can be traded in or recycled without being securely wiped or destroyed.