All Blog Posts

Common PII Questions

Jul 21, 2023

Personal information is what data privacy laws around the world are all about. They are concerned with defining it, how it’s used, and how it’s kept secure and confidential. There are some differences among the world’s data privacy laws, but overall how Personally Identifiable Information (PII) is defined and what organizations have to do to securely and compliantly handle it are consistent. Our FAQ has all the answers to common PII questions.

Common PII Questions - FAQ - Cookiebot

What is PII?

PII stands for “personally identifiable information”, which refers to data that can be used alone or combined with other data to identify a person.

Personally Identifiable Information (PII) includes personal data that can be used to identify a person, either alone or combined with other information. It can include information like name, email address, or credit card number, or less directly identifying data, like IP address or geolocation. While a fairly commonly used term by both government agencies and commercial entities, it is not a specific legal term, and its meaning can be interpreted differently by different entities.

What does PII mean?

PII is an initialism for “personally identifiable information”.

PII stands for “personally identifiable information”, which refers to data that can be used alone or combined with other data to identify a person. Some examples of PII include full name, date of birth, home address, phone number, email address, medical records, credit card number, passport number, or biometric data.

What is personal data?

In many cases it’s the same as PII, but under some laws, like the GDPR, it’s the specific legal term used.

It is typically the same as “personal information” or PII, but is the specific chosen legal term under some data privacy laws like the GDPR. Like PII it can include classifications of sensitive personal data that require more careful handling.

What is the difference between PII and personal data?

The terms are often used interchangeably, however, personal data is not always identifying, and PII can be used to identify, locate, or contact an individual.

Personal data and Personally Identifiable Information (PII) are both related to an individual’s information and can be sensitive. However, personal data may not specifically identify a person on its own or when combined with other personal data. On the other hand, PII is always identifying and can be used to locate or contact an individual.

Because personal data is a broader term, it can also include many more types of information. The differences can also be regulatory, with some laws using one term and other laws using the other. Occasionally a regulation will use both terms, but for different contexts or descriptions.

What is sensitive PII?

Sensitive PII is information that can directly be used to identify an individual, like first and last name, passport number, or credit card number. 

Sensitive PII is information that can directly be used to identify an individual because it is typically an actual identifier, like first and last name, or it’s only directly tied to one individual, like a passport number or credit card number. Additionally, sensitive PII requires special consideration because of its risk of harm to people if it’s compromised or misused. This could include criminal victimization or public embarrassment. Under many privacy laws, sensitive PII would include information like first and last name, home address, passport number, photo of a face, credit card number, fingerprints, or medical records.

What is linkable data?

Linkable data is personal information that requires multiple pieces of data in order to identify someone, like only first name, an age range, gender, or partial birth date.

Linkable data is also called non-sensitive PII, and includes personal information that can’t, on its own, be used to identify an individual, though it could if combined with other personal data. Linkable data could include only first name, mother’s maiden name, a postal or zip code, an age range, a partial address, gender, or name of employer.

What is non-PII?

Non-personally identifiable information. Data about a person or resulting from their activities, which can’t be used to identify them on its own. This type can include data that is partial, aggregated, or anonymized.

Non-personally identifiable information. Data about a person or their activities that can’t be used to identify them. It could be fairly general, or have been anonymized or de-identified. Examples of non-PII could include partially or fully masked IP addresses, aggregate statistics from a large group of people, or encrypted information, and sometimes cookie or device IDs.

What are PII records?

Documents or information in databases that contain personal information about individuals.

Documents or personal information contained in databases, like medical or financial information, that is about individuals and their activities, and can identify them. Often such records contain sensitive information, like details about health or specific contact or location information. Data privacy laws regulate PII records.

Is a name considered PII?

Yes, as a unique identifier a person’s name is typically considered PII. 

Yes, a name is typically considered PII, as it can identify someone in many cases, but would almost definitely identify someone when combined with additional information, like phone number or credit card number. Names can also be used to look up even more PII on someone, so should be carefully safeguarded, e.g. by employers.

Is age PII?

Age by itself would not be PII unless it’s linked to a specific individual. It could be personal data that, used in aggregate, could identify someone.

Age would need to be combined with other information to be PII, as an age alone is not identifying. However, age is common personal data found in records of various kinds, so there is a good chance that it can be used for identification purposes. The European Union’s GDPR explicitly includes age.

Is a telephone number PII?

Usually, yes, phone numbers are PII, as they are typically assigned to and associated with an individual.

Phone numbers are usually considered PII as they can be used to identify an individual due to often being assigned to someone, and being a unique identifier connecting a person to their device. They can also be used to locate people. In some cases a phone number can be considered sensitive PII as it could be misused, leading to spam, privacy breaches, or possibly identity theft.

Is biometric data PII?

Usually, yes, as it includes unique biological or physical characteristics of an individual.

Yes, usually it is. Personal data like fingerprints, facial recognition, iris scans, voiceprints, etc. are all unique physical identifiers, and there are others that are biological identifiers. These can all be used to identify someone. In fact they are often very specifically used to do so, e.g. for workplace security or unlocking one’s phone. Biometric data is explicitly referenced as PII in many data privacy regulations.

Is salary PII?

It would depend if the salary information is associated with an identifiable individual. 

Salary could be PII. If there was a table of salaries across a company, for example, it wouldn’t be PII, as that data would not be connected to a specific person. But in an individual’s HR record, for example, salary could be tied to that person’s name and other PII, thus making it also PII. It should also be kept confidential. In some cases, however, like specific roles or industries, salary information, including for specific individuals, is publicly available, so it would not be PII.

Is a work email address PII?

It would depend on context, use, and legal jurisdiction, and how identifying the email address is.

It depends. A work email address could be considered to identify professional identity, not personal identity. However, more broadly, if the email address included an individual’s name and company name, that could be personally identifying, which would make it PII. Specific privacy regulations may explicitly classify work email addresses as PII, especially more strict ones like the GDPR. But it’s not universally considered PII.

Are work emails PII?

Possibly, though it often would depend on the content of the emails.

Work email addresses used for work email can be considered PII in some cases, so that attached to emails can make them PII. It would also depend on what the content of the emails is. A short email that does not contain other PII or personal data probably would not be PII, but an email to or from Human Resources could very well contain PII.

Is an account number PII?

Yes, as an account number tends to be linked to an individual, and accounts can contain identifying information.

Yes, an account number is usually linked to an individual, so would be PII. Additionally, accounts often contain more identifying information, some of it possibly sensitive. Many data privacy regulations specify examples of specific types of account numbers, like banking or credit cards, social security, etc. But this could also include membership or client account numbers.

Is IP address PII?

It is sometimes, but depends on context and legal jurisdiction. 

It depends. An IP address alone may not be considered PII because it does not directly identify an individual. But if it’s combined with additional data or used in certain circumstances, an IP address can be used to identify or track individuals, so may be treated as PII. Some privacy regulations also explicitly classify IP addresses as PII.

What is PII in cyber security?

Specific types of sensitive information that could pose a risk to individuals’ privacy and security if compromised.

Similar to how “sensitive personal information” is often defined, it refers to information considered sensitive, i.e. if exposed or misused it could pose a risk or result in harm to individuals and their privacy and security. This can include information about race or ethnicity, religious beliefs, sexual orientation or activities, genetic or health data, etc.

Is PII always confidential information?

Yes, PII is considered confidential, especially when it includes sensitive personal data. 

Yes, PII is typically considered confidential. Often it consists of sensitive information, which can be harmful if misused, so extra measures should be taken to keep it secure and confidential. Many data privacy laws explicitly cover protection and security requirements for PII because of its confidential nature and risks if exposed.

How to protect PII data?

Protecting PII requires both technical and human measures to limit access, secure storage, and ensure safe behaviors.

Protecting PII requires the same considerations for security and confidentiality as any sensitive or confidential data. Data privacy laws outline specific requirements and recommendations for data protection. Some data and database protection recommendations include: 

  • use of encryption
  • system and data access controls
  • strong passwords and policies for them
  • regular updates, including patches
  • regular backups
  • maintaining logs
  • performing audits
  • data minimization (collecting and storing only as much data as is needed for the specific purpose)
  • data segmentation (access control by separating various data types and uses)
  • data retention policies (data is retained only as long as is needed and is securely deleted or returned)
  • comprehensive and regular training for employees

How to store PII data in a database?

PII needs to be stored with strong consideration for security and confidentiality to protect it as sensitive data. Many data privacy laws outline requirements and best practices for collection, storage, use, and deletion of PII.

PII needs to be stored with the same considerations for security and confidentiality as any sensitive or confidential data. Data privacy laws outline specific requirements and recommendations for data collection, storage, use, and deletion. Some data and database security recommendations include:

  • use of encryption
  • system and data access controls
  • strong passwords and policies for them
  • regular updates, including patches
  • regular backups
  • maintaining logs
  • performing audits
  • data minimization (collecting and storing only as much data as is needed for the specific purpose)
  • data segmentation (access control by separating various data types and uses) 
  • data retention policies (data is retained only as long as is needed and is securely deleted or returned)
  • comprehensive and regular training for employees

Do browser cookies collect PII?

Most of them don’t, but multiple pieces of information collected by browser cookies, or in conjunction with other personal data, could identify someone, so could be PII.

Browser cookies themselves are not PII, but they can collect it. Typically, information collected by browser cookies would be “linkable data”, as it would need to be combined with other personal information to become identifying. Some data privacy laws reference use of personal data for targeted advertising or profiling purposes, and require specific consent for such uses. This kind of data is collected by browser cookies.

Do all data privacy laws include PII?

Yes, all modern data privacy laws define, reference, and include information about protection and use of PII, though they may use terms like “personal data” instead.

Yes, all modern data privacy laws include definitions of PII and related terms, like sensitive PII. They also cover information about how PII can be used, how it should be protected, and what individuals need to know about its collection and use. Most of the laws also address individuals’ rights to opt out of the collection or usage of their PII.

What is PII under GDPR?

The GDPR uses the term “personal data”, which is the same as PII. It includes information specifying sensitivity and anonymization as well. 

The European Union’s General Data Protection Regulation (GDPR) includes PII, but calls it “personal data”. It also references sensitive personal data and more general personal information, which can include data that has been anonymized. Under the GDPR, some types of PII include information about individuals, like name, address, or phone number, but also technical information, like device IDs, browser cookie information, or IP address.

What are PII violations?

PII violations involve collecting or using data in ways prohibited by data privacy laws, or in failing to maintain the security and confidentiality of the data.

PII violations can involve collecting PII in ways the controller has not communicated, or using it in ways for which they have not communicated and do not have a legal justification. It can also include unauthorized access or use of the PII, like data breaches or theft, use of data for purposes not notified about or sharing with parties not notified about, retaining data when it’s no longer needed, or allowing access to data by people who do not need it. Many regulations cover PII violations, in addition to data privacy laws, including laws relating to healthcare, finance, or protection of children.

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.

    Make your website’s use of cookies and online tracking compliant today

    TRY FOR FREE