Collecting personally identifiable information (PII) is a common practice for businesses running websites and apps. However, not every organization knows how to collect, store, and manage PII in ways that align with relevant privacy laws. Getting it right matters, especially as regulatory enforcement ramps up and public concern about data safety increases.
The nuances of data privacy regulations in different jurisdictions can be challenging. In addition to lost user trust, improper handling of PII can lead to costly fines. GDPR penalties can be up to EUR 20 million per infraction or four percent of global annual turnover. In the U.S. fines can range from USD 2,500 to USD 50,000 per violation across states.
This guide provides an eight-step personally identifiable information compliance checklist to help compliance teams, business owners, and teams involved in PII protection protect user data in 2026.
At a Glance
- Broadly defined as any information that points to the identity of a person, PII can be either sensitive or non-sensitive, depending on its content and context.
- The GDPR, various U.S. state and federal laws, the LGPD, and PIPEDA are among the major data privacy laws regulating PII. Compliance with relevant laws is essential to avoid fines, protect user trust, and maintain brand reputation.
- PII compliance checklist steps include conducting a data audit, identifying applicable laws and lawful basis, updating your privacy policy and technical controls, developing a data breach response plan, and maintaining ongoing PII data protection.
- Usercentrics CMP supports lawful basis requirements, privacy policy management, and ongoing audit needs for personally identifiable information compliance.
What Is PII Compliance?
According to NIST SP 800-122, PII includes any data that “permits the identity of an individual to whom the information applies.” Given this broad definition, PII compliance means taking proactive steps to protect personal data in accordance with legal and regulatory standards.
Examples of PII include:
Name
Email address
Place of birth
ZIP code
Social Security number (SSN)
Driver’s license number
License plate number
Religious or political affiliation
Photographs or video footage
PII is one of several overlapping categories of personal data, each defined and regulated differently.
PII vs. Personal Data
While personal data includes any information related to a person, including categories from their language preference to their browser activity. However, PII is a narrower category limited to the personal information that can help identify an individual, like their name, email address, or Social Security number.
PHI vs. PII
PII includes various types of personally identifiable information, including ethnic origin and IP address. Protected Health Information (PHI) is a specific PII subset of health-related data regulated by the U.S. Health Insurance Portability and Accountability Act (HIPAA).
Learn more: PHI vs PII: What’s the difference?
PII vs. PCI
PII is a broad category of personally identifiable data, while Payment Card Industry (PCI) data is a subset of PII comprising financial data protected by the PCI Data Security Standard (PCI DSS).
PII itself divides into two broad categories: sensitive vs non-sensitive PII. The distinction between them lies in how publicly available they are:
- Non-sensitive PII: Non-confidential information that indirectly or broadly identifies the user. This category includes:
- Indirect identifiers like city, date of birth, job title, and IP address
- Direct identifiers that can define an individual, like full name, bank account number, and ID number
- Sensitive PII: Confidential information that introduces risk to the individual when exposed, like biometric data, details of a banking account, and passport details.
Note that non-sensitive PII in combination with other PII can significantly increase the risk for an individual. A bank account number is considered non-sensitive, but in combination with a full name and an ID number, it becomes highly sensitive.
That’s why a PII data protection program should treat each data category as a risk amplifier, meaning that the more non-sensitive PII the organization collects, the more severe harm could be caused if the data were exposed.
As an industry standard for banking, healthcare, and large enterprises, organizations should treat non-sensitive PII as confidential and sensitive PII as restricted.
Why Is PII Compliance Not Optional?
PII mismanagement leads to significant damage to both a person’s reputation and to business operations:
- For a person affected: Risk of identity theft, emotional damage, and financial risks
- For a business: Reputational damage, user mistrust, legal and financial consequences
The table below provides information on the major global data privacy regulations governing PII, their jurisdiction, PII compliance requirements, and potential fines for non-compliance.
Which Regulations Govern PII Compliance?
| Regulation | Key PII Compliance Requirements | Potential Fines |
| GDPR (EU and EEA) | Manage PII according to the seven GDPR principles, opt-in consent where consent is the applicable lawful basis | Up to EUR 20 million or four percent of global annual turnover |
| UK GDPR (United Kingdom) | Manage PII according to the seven UK GDPR principles; opt-in consent where consent is the applicable lawful basis | Up to GBP 17.5 million or four percent of global annual turnover, whichever is higher |
| CCPA/CPRA (California) | Grant consumers the right to access, edit, restrict, and delete their PII, plus the right to opt-out, and not be discriminated against; opt-out consent; “Do Not Sell or Share My Personal Information” link | USD 2,500 per non-intentional violation and USD 7,500 per intentional violation or per violation involving a minor |
| U.S. states data privacy laws (20+ states) | Give notice about PII collection, purpose, and sharing parties; recognize the Global Privacy Control (GPC) or other UOOM in 12 states to date; opt-out consent | Up to USD 50,000 per violation (Colorado, Florida) |
| GLBA (United States) | Disclose data collection and sharing practices; implement a written information security program; provide opt-out rights before sharing data with non-affiliated third parties; notify the FTC within 30 days of a breach affecting 500+ consumers | Up to USD 100,000 per violation; up to USD 10,000 per violation for officers and directors personally |
| HIPAA (United States) | Treat PHI as a PII subset; collect written consent forms before collecting; provide notice of privacy operations and measures; implement safeguards; sign Business Associate Agreements (BAA) | At a minimum, USD 50,000 per severe violation |
| LGPD (Brazil) | Manage PII according to the ten principles (including purpose, necessity, prevention, and accountability); opt-in consent | Up to two percent of a company’s revenue in Brazil |
| PIPEDA (Canada) | Manage PII according to the ten principles; opt-in consent | Up to CAD 100,000 per severe violation |
Regulatory requirements shift regularly, and the laws in this table apply differently depending on your organization’s size, location, and activity. Legal advice is strongly recommended to determine which obligations apply to your specific circumstances, and to support your ongoing compliance as laws and business operations change.
PII Compliance Checklist: 8 Steps to Protect Personal Data
The following eight steps provide a practical foundation for building a PII compliance program that holds up as your organization grows and regulations evolve.
1. Conduct a PII Audit
Before implementing any protective measures, map every point where your organization collects, stores, or shares PII. Data privacy regulations impose limits on each of these activities, so full visibility is the essential first step.
What to Do
- Start with sensitive PII: Check human resources and financial databases to identify whether and how you collect data such as bank details, tax records, precise location data, and health information from employees and other data subjects.
- Find all the sources collecting non-sensitive PII and define risk levels: Review customer service, sales, product, IT, and marketing flows to detect what types of non-sensitive PII they manage separately (names, email addresses, phone numbers, purchase history, IP addresses) and see how they increase the risks for your users when aggregated.
- Locate all the data in unstructured sources: PII can appear in many places, including emails, spreadsheets, or document scans, so your PII audit should cover these sources.
2. Identify Applicable Data Privacy Laws
PII regulations vary by jurisdiction. To determine which laws apply, organizations should consider their own location, the location of the individuals whose data they process, and the jurisdictions where their vendors and third parties operate.
What to Do
- Map organizational geography: Connect each data point from the PII audit to its relevant jurisdictions, where your organization is established, where data subjects are located, and where data is stored or transferred.
- Classify sensitive PII: Identify PII subsets such as health and financial records that fall under specific regulations, such as HIPAA or the GLBA, and classify them separately to ensure the correct compliance framework is applied.
- Evaluate contractual and third-party obligations: Review vendor contracts and third-party agreements to identify any additional data privacy obligations your organization may be required to meet.
3. Determine Lawful Reasons for PII Collection
Data privacy regulations approach lawful basis for PII collection differently. Under Art. 6 GDPR, organizations can rely on the following as lawful reasons to collect PII:
- Consent
- Performance of a contract
- Legal obligation
- Protection of vital interests
- Performance of a task in the public interest
- Legitimate interests
For PII CCPA compliance, data must be collected in accordance with user expectations, with the purpose of collection disclosed upfront, and with opt-out rights honored.
What to Do
- Connect each data point to its purpose: Familiarize yourself with the lawful reasons in the applicable data regulations and check how they apply to each data collection point in your dataset.
- Verify that user rights are respected: Confirm that up-to-date privacy notices and consent mechanisms are in place where required.
- Introduce compliant consent: When consent is the lawful basis for processing, implement consent mechanisms that obtain clear permission before collecting or processing PII.
Consent-Specific Requirements (Critical for Marketing and Analytics)
- Communicate your message in plain language: Avoid technical jargon, generalized expressions without key details (vague statements like “to improve our service”), and complex sentences.
- Add granular controls: Give individuals meaningful control by allowing them to consent selectively by purpose or data category, rather than presenting a single all-or-nothing choice.
- Make consent-based marketing a business priority: Build privacy and consent into your processes from the ground up, rather than treating them as reactive compliance measures.
Learn more about how to design a compliant cookie banner.
4. Update Your Privacy Policy
While data privacy laws use different terminology, a privacy policy follows a broadly consistent structure that satisfies the requirements of most major regulations. Like a consent banner, it should be written in plain language and prioritize transparency.
What to Do
- Know what each applicable regulation requires of your privacy policy: The primary goal for the privacy policy under the GDPR is to provide transparency about data collection and use. The CCPA also requires the policy to disclose the categories of personal information collected, the purposes for collection, and consumers’ rights.
- Create the privacy policy structure: Create or update the content of the privacy policy based on your PII audit and the requirements of relevant regulations. Explain what categories of data are collected and used, the purposes and lawful reasons for collection, the data retention period, and the parties with whom it is shared.
- Publish the policy and keep it up-to-date: Publish the privacy policy in an accessible location — typically a persistent footer link — and update it whenever your data practices or applicable regulations change.
Learn how to write a privacy policy in 12 steps.
5. Implement Technical Security
PII requires strong technical controls across its entire lifecycle, from collection and storage through to deletion.
What to Do
- Implement core security controls: Apply data encryption, role-based access control, and network and endpoint security to protect PII from unauthorized access or loss.
- Apply privacy-enhancing technologies: Server-side tagging, data anonymization, and a consent management platform (CMP) add an additional layer of protection and support compliance across data collection touchpoints.
6. Honor Data Subject Rights
Data privacy regulations generally require organizations to honor individuals’ rights over their PII, including the right to know, access, correct, and delete data held about them. The table below compares the rights required under the GDPR, CCPA, and HIPAA.
| Data subject rights | GDPR | CCPA | HIPAA |
|---|---|---|---|
| Right to know which PII you collect | ✅ | ✅ | ✅ |
| Right to delete the PII you’ve collected | ✅ | ✅ | Limited |
| Right to modify the PII obtained | ✅ | ✅ | ✅ |
| Right to transfer PII | ✅ | ✅ | ✅ |
| Right to opt-out from selling or sharing | Equal to right to object | ✅ | ❌ |
| Right to restrict PII processing | ✅ | ✅ | ❌ |
| Right to object to PII processing for legitimate interests | ✅ | Equals to right to opt-out | ❌ |
What to Do
- Determine the scope of data subject rights: Map which data subject rights apply to each category of PII you hold, based on the regulations relevant to your organization.
- Implement measures to honor the rights: Put technical and operational processes in place to handle data subject requests, including access, deletion, correction, and portability, within the timeframes required by applicable regulations.
- Consider compliance-first software: For organizations managing compliance across multiple jurisdictions, compliance audit software can help track data subject rights obligations, log requests, and maintain evidence of compliance.
7. Develop a Data Breach Response Plan
Many data privacy laws require organizations to prepare for data breaches, but the rules differ by law. The GDPR requires organizations to report breaches within 72 hours of becoming aware of them. The CCPA and HIPAA provide longer timelines and nuanced response structures. These data regulations also differ in how organizations must respond to Data Subject Access Requests (DSARs).
What to Do
- Develop and test a compliant data breach response plan: Develop a breach response plan aligned with the regulations applicable to your organization, and test it regularly through staff training and simulated scenarios.
- Maintain investigation-ready records: Keep access logs, server-side tag event records, and cookie consent logs current and readily accessible.
- Coordinate breach response promptly: Upon discovering a breach, reconstruct the timeline and engage third parties as needed to support parallel investigations.
- Invest in data breach mitigation: Reduce breach risk through ongoing investment in PII security, including encryption, access controls, and regular vulnerability assessments are the foundation of effective mitigation.
8. Keep PII Compliance Up to Date
Sustaining a PII compliance program long-term requires embedding privacy into everyday processes and organizational culture, not treating it as a periodic exercise.
What to Do
- Organize staff training: Deliver role-specific training, like GDPR training, to build awareness of PII compliance best practices and responsibilities and reduce the risk of human error across your organization.
- Conduct ongoing auditing: Establish a regular audit schedule to review your PII data practices, assess compliance with applicable regulations, and evaluate the effectiveness of your technical controls.
- Prioritize privacy by design: Apply privacy by design principles to new systems, products, and processes from the outset. Compliance should be built in, not bolted on.
How Usercentrics Supports PII Compliance
Given the important role technical tools play in maintaining compliance, Usercentrics supports several stages of the eight-step PII compliance program:
- Address lawful basis requirements: The Usercentrics CMP helps organizations obtain and manage consent across web and mobile apps in line with regulations like the GDPR and CCPA, with support for granular choices, transparency, and timestamped records.
- Publish a privacy policy: The Usercentrics Privacy Policy Generator creates a custom privacy policy tailored to your business and aligned with evolving regulatory requirements.
- Honor data subject rights: he Usercentrics CMP records and maintains consent choices, providing the documentation needed to support data subject rights requests and demonstrate compliance.
- Support ongoing PII compliance: Usercentrics helps organizations stay current through automated updates and tools that support the ongoing review and documentation of consent practices.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
